Posted on | Edited on | In |

本文主要介绍ptmalloc3中关键的数据结构以及 mallocfree函数的执行过程。

malloc_state

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
struct malloc_state {
    /* Serialize access.  */
    mutex_t mutex;

    /* Flags (formerly in max_fast). */
    int flags;

    #if THREAD_STATS
        /* Statistics for locking. Only used if THREAD_STATS is defined. */
        long stat_lock_direct, stat_lock_loop, stat_lock_wait;
    #endif

    /* Fastbins */
    mfastbinptr fastbinsY[NFASTBINS];

    /* Base of the topmost chunk -- not otherwise kept in a bin */
    mchunkptr        top;

    /* The remainder from the most recent split of a small request */
    mchunkptr last_remainder;

    /* Normal bins packed as described above */
    mchunkptr        bins[NBINS * 2 - 2];

    /* Bitmap of bins */
    unsigned int binmap[BINMAPSIZE];

    /* Linked list */
    struct malloc_state *next;

    #ifdef PER_THREAD
        /* Linked list for free arenas. */
        struct malloc_state *next_free;
    #endif

    /* Memory allocated from the system in this arena. */
    INTERNAL_SIZE_T system_mem;
    INTERNAL_SIZE_T max_system_mem;
};
Read more »

Posted on | Edited on | In |

在ctf比赛中,有时调试一个pwn题目,发现直到调用system函数、传参时都是对的,但是system函数会执行失败,就是无法拿到shell,在这里总结了一下可能的原因:

  1. 在调用system函数时,esp指针指向的区域前面不存在一定空间的可写数据区,原因是在函数执行过程中,会维护自己的栈帧(sub esp, xxxx) —— fake frame时需要注意,会触发__libc_sigaction错误,fault address
    Read more »

Posted on | Edited on | In |

1. 介绍

一个基于phusion/baseimage的docker容器,用于ctf中的Pwn类题目

2. 使用

1
2
3
4
5
6
7
8
docker run  -it \
            --rm \
            -h ${ctf_name} \
            --name ${ctf_name} \
            -v $(pwd)/${ctf_name}:/ctf/work \
            -p 23946:23946 \
            --cap-add=SYS_PTRACE \
            skysider/pwndocker
Read more »

Posted on | Edited on | In |
确定偏移 利用pwntools提供的FmtStr(exec_fmt),获取offset 读/写栈上数据 读:计算出要读的地址是第xxx个不定参数,然后利用%xxx$x 读取(x-十六进制读,lx长整读取(64位)) 写:首先泄露栈上rbp的值,然后根据rbp与返回地址之间的差值,得出返回地址所在的 ...
Read more »