0ctf2018 babyheap思路简析

这题没写出来,泄露完libc地址就陷入迷茫,赛后赶紧看大佬们的writeup学习了一下.

checksec

gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : FULL

PIE开了,就不用想着写Got表了

Vulnerability

漏洞还是挺明显的,off by one,可以多写一个字节

Exploit

通过利用off by one,非常容易泄露堆地址与libc地址,这里就不细说,详情看writeup
泄露完以后呢?
因为我们最大分配88个字节的空间,不能直接把chunk分配在malloc_hook附近,所以我们要先通过修改mchunkptr top,也就是topchunk指针,使其下次分配在malloc_hook附近

malloc_state 即main_arena

struct malloc_state {
    /* Serialize access.  */
    __libc_lock_define(, mutex);

    /* Flags (formerly in max_fast).  */
    int flags;

    /* Fastbins */
    mfastbinptr fastbinsY[ NFASTBINS ];

    /* Base of the topmost chunk -- not otherwise kept in a bin */
    mchunkptr top;

    /* The remainder from the most recent split of a small request */
    mchunkptr last_remainder;

    /* Normal bins packed as described above */
    mchunkptr bins[ NBINS * 2 - 2 ];

    /* Bitmap of bins, help to speed up the process of determinating if a given bin is definitely empty.*/
    unsigned int binmap[ BINMAPSIZE ];

    /* Linked list, points to the next arena */
    struct malloc_state *next;

    /* Linked list for free arenas.  Access to this field is serialized
       by free_list_lock in arena.c.  */
    struct malloc_state *next_free;

    /* Number of threads attached to this arena.  0 if the arena is on
       the free list.  Access to this field is serialized by
       free_list_lock in arena.c.  */
    INTERNAL_SIZE_T attached_threads;

    /* Memory allocated from the system in this arena.  */
    INTERNAL_SIZE_T system_mem;
    INTERNAL_SIZE_T max_system_mem;
};

fastbin attack修改topchunk指针,再用one_gadaget覆盖malloc_hook即可

友情链接

0ctf2018 babyheap writeup
0ctf quals: babyheap Writeup

发表评论

This site uses Akismet to reduce spam. Learn how your comment data is processed.