STILL LOVE PWN AND EXPLOIT
aeiou
vuln
It seems like a heap problem, but there is no loop in main function. We can only do action on time. When look into the programe, I find that there is a stack overflow in teach number function which address is 0x4013aa. The buff is only 0x1000, but we can input 0x10000. Obviously, it is a stack overflow vuln.
exploit
How to get the shell? First, check the security mechanism:
1 | gdb-peda$ checksec |
As we can see, the canary is opened. We can’t just overwrite the return address directly, for there is the canary protection.
How to figure out the problem? Back to the programe, i find that the function is in a thread which is made by pthread_create
. It is a little wired, i think it may be the key.
After searching in the internet, i found a technique to bypass canary. when a thread is created by pthread_create
function, to ensure the thread has its own stack, process will use TLS
to store the variable and things. So the stack
is belonged to thread itself(TLS
), and is created by mmap
function. Canary is also under the stack,which is the stack_guard
in the tcbhead_t
struct.
1 | typedef struct |
So the way we bypass the canary is that we input long buff and it will finaly overwrite the canary. With this way, we can do ROP attack easily. The full exp link is shown at the bottom.
god-the-reum
vuln
the vuln is obvious, which is a uaf
in withdraw
function in 0xF2E
. The funtion free the heap pointer but does not clean the value of pointer, we can still use the pointer to do anything such as leaking.
expolit
first, check the security mechanism:
1 | gdb-peda$ checksec |
one thing we need to care is that this programe is run under the libc 2.27
, which os is ubuntu 18.4. there is tcache
in libc 2.27
.
next, we need to leak heap address, we can use withdraw
funtion to free a chunk to tcache
, and then use uaf
vuln (withdraw
again) to free the same chunk(there is no check in tcache
), then we can use show
to leak the address of heap.
How to leak libc address? after leak the heap address, we can know the money we need to substract, so we can free the same chunk 7 times and the chunk will be put into unsorted bin
. Then we can use show
function to leak the libc address.
Now we get all the address we need, so we can use developer
function to overwrite the tcache chain to get the memory which address is __free_hook
, then we write one gadget
address into __free_hook
.
Finally, get the shell.
maris_shop
vuln
There is a uaf
vuln. We can first create 16 carts. And when we buy all the carts, it will free all the carts but just set 15 carts pointer and leave the last ont unclean. That’s the pointer we can use to leak address and exploit.
expolit
first, check the security mechanism:
1 | gdb-peda$ checksec |
There is a small trick to bypass money check
, which is we can use 0 amount
.
The whole process is shown as below:
- we create 16 carts.
- we by all the carts, the programe will free all the pointer and leave the 15th pointer unclean.
- we show the 15th pointer and leak the address of libc.
- we add the 15th carts and make unsorted bin attack, which overwrite
stdin->_IO_buf_end
to point tomain_arena
. - we call fgets will overwrite the
stdin->vtable
, address of which containsone gadgets
. - get shell
conclusion
all the exp is in my github