0ctf2018 babyheap

babyheap

exploit method:

  1. leak heap_addr
    • fastbin attack
    • off-by-one overlap
  2. leak main_arena
    • unsorted bin attack
    • off-by-one overlap
    • main_arena = unsorted bin – offset
  3. leak libc_base
    • libc_base = main_arena – offset’
  4. fastbin attack to control top_chunk
    • top_chunk point to near __malloc_hook
  5. use one_gadget to rewrite __malloc_hook

leak

fastbin attack

  • single link
  • LIFO
  • structure
    sizeof(A/B/C) = 0x30.
    free(A),free(B),free(C),then we get:
    A->fd = B
    B->fd = C
    C->fd = 0

off-by-one overlap

  • chunk A,B,C
  • overflow A to pollute the size area of B,then get B’
  • in C,build a fake chunk C’ to bypass the size check
    condition:SIZE(B)+SIZE(C)=SIZE(B')+SIZE(C')

addition knowledge

  • on x86-64,chunk alignment:0x?8 size area get 0x(?+1)0
  • chunk A is an unsorted bin,A->fd = A->bk = A_addr
  • main_arena – certain offset = libc_base
    see cat /proc/pid/maps in shell or vmmap in peda to get libc_base,then offset = main_arena – libc_base

exp

Posted in Pwn

Leave a Comment

电子邮件地址不会被公开。 必填项已用*标注