tags: 程安

CS 2019 Fall - Homework 0x08

[0x08] EDU 2019 election

• 先 checksec : 不意外的全開
• 關鍵點
  • Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    • 位置︰main()
    • 可以利用這邊來猜出 canary 和__libc_csu_init的 address
      • 避免__stack_chk_fail和推算出 PIE base address
    • 同時buf位於 data segment，可以作為之後要 stack migration 的地方
  • Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    • 位置︰voting()
    • candidates.votes為uint8_t，最大值為 255
    • 在votes = 255時，覆蓋old rbp和return address來進行 stack migration
• 其他細節
  • 由於我們一開始只有 PIE base address，所以我們還要再 leak libc base address
  • 拿到 libc base address 之後，我們要找一個地方寫我們最後的one_gadget，然後再 migrate 過去。但這裡會遇到一個問題，如果要用read()，就需要一個能控制rdx的 gadget，這時候就需要用到ret2csu
  • payload︰
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →

[0x08] Note++

• off by one
  • Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • 這裡的scanf會自動多一個'\0'在description的後面
    可以把下一個notes的is_freed蓋成false
• 只能用 fastbin
  • Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • 這邊被限制大小了QQ
  • 但為了拿到 libc base address，我們必須要想辦法弄到一塊不歸類為 fastbin 的 chunk 然後 uaf 他來 leak address

流程

• 因為只能用 fastbin，所以先想辦法弄出 heap address，之後想辦法 heap overlap
  • 弄成下面的樣子之後就可以藉由list()來 leak C 的位置，反推出 heap base address。順便把notes[1]弄成is_freed = 0等等會用來 double free B
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
• 捏造一個可以拿來 free 掉而且會進 unsorted bin 的 chunk
  • 先用 fastbin attack，捏造一個歪掉的 chunk 用來改寫別的 chunk 的 header
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • 中途拿到 A 的時候順手幫 A+0x10 捏造 size，拿到 C 的時候也要準備一下等等用來 bypass security check (這個 C 的拿法要用 double free 的方式再拿回來，因為他原本已經從 fastbin list 上消失了)
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • 拿到 A+0x10，並在最後 16bytes 與 B header 重疊的部份串改 B 的 size 成 0x90。再多要一塊 D 來確保等等 free B 的時候不會被 check 到
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • 前面準備工作都做好後就可以 free B 來 leak libc base address 了！
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
• 後面就是跟[lab] Note一樣去把__malloc_hook改成 one_gadget
  • 但很可惜的，沒有一個 one_gadget 可以用。
    那就試著像上課的時候一樣，在free()噴錯的時候觸發 one_gadget
    因為 heap 已經被我搞亂，我就 free 掉一個會壞掉的 chunk 來試試
    結果就 get shell 了 XD