# 6.1.9 pwn RHme3 Exploitation - [题目复现](#题目复现) - [题目解析](#题目解析) - [参考资料](#参考资料) [下载文件](../src/writeup/6.1.9_rhme3_exploitation) ## 题目复现 这个题目给出了二进制文件和 libc。 ``` $ file main.bin main.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ec9db5ec0b8ad99b3b9b1b3b57e5536d1c615c8e, not stripped $ checksec -f main.bin RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 10 main.bin ``` 64 位程序,保护措施除了 PIE 都开启了。 ## 题目解析 玩一下,一看就是堆利用的题目: ``` $ ./main.elf Welcome to your TeamManager (TM)! 0.- Exit 1.- Add player 2.- Remove player 3.- Select player 4.- Edit player 5.- Show player 6.- Show team Your choice: ``` 程序就是添加、删除、编辑和显示球员信息。但要注意的是在编辑和显示球员前,需要先选择球员,这一点很重要。 添加两个球员看看: ``` Your choice: 1 Found free slot: 0 Enter player name: aaaa Enter attack points: 1 Enter defense points: 2 Enter speed: 3 Enter precision: 4 0.- Exit 1.- Add player 2.- Remove player 3.- Select player 4.- Edit player 5.- Show player 6.- Show team Your choice: 1 Found free slot: 1 Enter player name: bbbb Enter attack points: 5 Enter defense points: 6 Enter speed: 7 Enter precision: 8 ``` 试着选中第一个球员,然后删除它: ``` Your choice: 3 Enter index: 0 Player selected! Name: aaaa A/D/S/P: 1,2,3,4 0.- Exit 1.- Add player 2.- Remove player 3.- Select player 4.- Edit player 5.- Show player 6.- Show team Your choice: 2 Enter index: 0 She's gone! ``` 接下来直接显示该球员信息: ``` Your choice: 5 Name: A/D/S/P: 29082240,0,3,4 0.- Exit 1.- Add player 2.- Remove player 3.- Select player 4.- Edit player 5.- Show player 6.- Show team Your choice: 6 Your team: Player 0 Name: bbbb A/D/S/P: 5,6,7,8 ``` 奇怪的事情发生了,程序没有提醒我们球员不存在,而是直接读取了内存中的信息。 于是我们猜测,程序在 free 球员时没有将 select 的值置空,导致了 use-after-free 的问题。关于 UAF 已经在前面的章节中讲过了。 #### Exploit 完整的 exp 如下: ```python ``` ## 参考资料 - [Exploitation](https://ctftime.org/task/4528)