UAF

USE AFTER FREE

简单理解就是free指针之后没有置为0，在某些情况下会造成uaf的漏洞，正如下面的例子。

#include <stdio.h>
#include <stdlib.h>
typedef struct name {
  char *myname;
  void (*func)(char *str);
} NAME;
void myprint(char *str) { printf("%s\n", str); }
void printmyname() { printf("call print my name\n"); }
int main() {
  NAME *a;
  a = (NAME *)malloc(sizeof(struct name));
  a->func = myprint;
  a->myname = "I can also use it";
  a->func("this is my function");
  // free without modify
  free(a);
  a->func("I can also use it");// 指针未置空
  // free with modify
  a->func = printmyname;
  a->func("this is my function");
  // set NULL
  a = NULL;
  printf("this pogram will crash...\n");
  a->func("can not be printed...");// 报错，指针已置空
}

调试hacknote

echo 0 > /proc/sys/kernel/randomize_va_space

hacker@ubuntu:~/Desktop$ checksec hacknote
[*] '/home/hacker/Desktop/hacknote'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)  # 加载基址，调试用

pwndbg>  b *0x080486CA
Breakpoint 1 at 0x80486ca
pwndbg>  b *0x0804875C
Breakpoint 2 at 0x804875c
pwndbg>  b *0x08048893
Breakpoint 3 at 0x8048893
pwndbg>  b *0x080488A9
Breakpoint 4 at 0x80488a9

由于调试的libc版本与ctf wiki不同，所以没有预期释放到fastbin中

 cp /glibc/2.23/32/lib/ld-2.23.so /tmp/ld-2.23.so
 patchelf --set-interpreter /tmp/ld-2.23.so /ctf/work/hacknote

root@--name:/glibc/2.23/32/lib# cp /glibc/2.23/32/lib/libc-2.23.so /tmp/libc-2.23.so

root@--name:/ctf/work# patchelf --replace-needed libc.so.6 /tmp/libc-2.23.so /ctf/work/axb_2019_fmt32

https://blog.csdn.net/qq_39563369/article/details/103950922
https://www.cnblogs.com/bhxdn/p/14541441.html
https://www.icode9.com/content-4-1060845.html
https://ohmygodlin.github.io/ctf/bin/2018/06/28/堆漏洞利用/