上月看的几部作品除了托尼史塔克的"Love you 3000"以外都记不太清了，应该说在情怀面前其他情节都变成了细枝末节。
This is a challenage from *CTF 2019 last weekend, a great CTF from sixstar team. For this particular challenge, you could found at least 3 avaliable Writeup (except for this one). The official Writeup here, one from shift-crops, and one from the Balsn Team.
I analyzed all three writeups and personally appreciated the one from Japanese player shift-crops the best. So the following paragraphs will focus on his method and try to clarify some glibc heap attack concepts he used.
The official Writeup and shift-crops’ did a great explanation about reversing process, so I’ll spare that part here. The exploit relays heavily on
unsorted bin attack, and here is a brief description of this technique.
¶Unsorted bin Attack
unsorted bin attack, one can write a pointer
0x7ffff7dd1b58 (main_arena+88) to arbitrary address. In this challenge, we cannot write anything on heap directly, and we don’t have any provided function to leak addresses, the very first step is utilizing
unsorted bin attack to overwrite something around main_arena.
I copied the exploit from shift-crops, refactored it a bit and added some comments, seperating the whole exploit into 6 parts.
from pwn import *
After trying the exploit, Some questions poped up in my head:
- Why do we need to change
unsorted bin attack?
- Why overwritting
_IO_2_1_STDOUT->write_basecan leak so many addresses?
- How does
To answer this question, I eliminated Part1 in exp, and tried to perform consecutive
unsorted bin attack, with following script:
## PART2: overwrite _IO_2_1_stdout_->_IO_read_end to main_arena+88
it thown an memory corruption like:
*** Error in `./heap_master1': malloc(): memory corruption: 0x00007ffff7dd2610 ***
The arena looks like:
Traced down the source code of
malloc, the error thrown at
malloc.c:3405 (version: glibc 2.24)
if we print the varibale
victim, it is
0x7ffff7dd2600, which means
unsorted_chunks(av)->bk will extract the value of bins here, for sure this address could not pass the check.
The workaround is use fastbin-freeing mechanism to help us fix arena. The source is located at
global_max_fast overwritten with a large value, fake chunk will be treated as a fastbin chunk, this line of code help us to write bin to fake chunk address. BTW, I patched the string
prog_init, so for each run we can have the same mmap address. After fixing bin, we can perform
unsorted bin attack on the same fake chunk again.
As a conclusion, if you somehow want to perform
unsorted bin attack on same chunk many times, you should first use
unsorted bin attack to overwrite
global_max_fast, and then free the fake chunk as a fastbin chunk to fix arena before each
unsorted bin attack.
printf is called, it eventually call
_IO_file_xsputs and then
When we overwrite
_IO_2_1_stdout_->read_end==_IO_2_1_stdout==main_arena+88, it hit line 22, which is the exact line to dump stuff to stdout,
main_arena+88 here and
0xb2b. Since there are plenty of juicy addresses around main_arena, so with this leak, we can defeat ASLR and even get stack address.
I used to consider
unsorted bin attack as kind of weak attack primitive, but it turns out to be super powerful with fsop technique. This challenage is a good example about using multiple
unsorted bin attack to perform fsop and hijack control flow.