preparation_4_binattacks

文章发布时间:

2023-08-28

最后更新时间:

2023-08-29

写了段代码来gank接下来的堆,之后几篇文章都用这作为二进制文件基础

//gcc 2heap.c  -no-pie -o 2heap
#include<stdio.h>
#include<stdlib.h>
int chunk_time =0;
int chunk_size[50];
char *chunk_ptr[50];
void init(){
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stdin, 0, 2, 0);
}
void menu(){
    puts("what u want to do next?");
    puts("1. Build a house");
	puts("2. Delete a house");
	puts("3. Edit your house");
	puts("4. Show your house");
    puts(">");
}
void add(){
    char size[20];
    if(chunk_time<=32&&chunk_time>=0){
        if(!chunk_ptr[chunk_time]){
        printf("You have built %d houses in my world\n",chunk_time);
        puts("You can customize the size of house here, but what about your life");
        read(0,size,0x8);
        chunk_size[chunk_time] = atoi(size);
		chunk_ptr[chunk_time] = malloc(chunk_size[chunk_time]);
		puts("add something to your house");
        read(0,chunk_ptr[chunk_time],chunk_size[chunk_time]);
        chunk_time++;
        }else{
            puts("something wrong,but you can come in any time");
            exit(0);
        }
    }else{
        
        puts("something wrong,but you can come in any time");
        exit(0);
    }
}
void delete(){
    int index;
    puts("I won't set the pointer to zero");
    puts("every decision you made is meaningful");
    scanf("%d",&index);
    free(chunk_ptr[index]);
}
void edit(){
    int index;
    puts("something wrong?");
    puts("It's never too late to make changes");
    scanf("%d",&index);
    puts("something interesting here");
    read(0,&chunk_size[index],0x8);
    puts("Nice choice!");
    puts("Now add something");
    read(0,chunk_ptr[index],chunk_size[index]);
    puts("ok\n");
}
void show(){
    puts("Nothing is perfect,but you can make something different");
    puts("Let's see what you can do");
    int index;
    scanf("%d",&index);
    puts(chunk_ptr[index]);
}

int main(){
    int choice;
    init();
    puts("This program is used to explore something about heap");
    puts("written by str1k3");
    puts("Welcome to my world!");
    puts("In my world,you can build up some houses");
    
    while(1){
        menu();
        scanf("%d",&choice);
        switch(choice){
            case 1:
                add();
                break;
            case 2:
                delete();
                break;
            case 3:
                edit();
                break;
            case 4:
                show();
                break;
            case 5:
                puts("ready to exit?");
                puts("back to your life!");
                exit(0);
                break;
        }
    }
}

其实人生，并非虚耗。何来尘埃飞舞？ ——陈奕迅《沙龙》

扔个测试脚本在这里先

from struct import pack
from ctypes import *
from LibcSearcher import *
from pwn import *

def debug():
    gdb.attach(p)
    pause()
def get_addr():
    return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

context(os='linux', arch='amd64', log_level='debug')
p = process("./2heap")
elf = ELF("./2heap")
#libc = ELF("./libc-2.23.so")
context(os='linux', arch='amd64', log_level='debug')

def debug():
    gdb.attach(p)
    pause()
def get_addr():
    return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

def add(size,payload):
    p.recvuntil(">")
    p.sendline(b'1')
    p.recvuntil("You can customize the size of house here, but what about your life")
    p.sendline(str(size))
    p.recvuntil("add something to your house")
    p.send(payload)

def delete(index):
    p.recvuntil(">")
    p.sendline(b'2')
    p.recvuntil("I won't set the pointer to zero, every decision you made,is meaningful.")
    p.sendline(str(index))

def edit(index,size,payload):
    p.recvuntil(">")
    p.sendline(b'3')
    p.recvuntil("It's never too late to make changes.")
    p.sendline(str(index))
    p.recvuntil("something interesting here")
    p.sendline(str(size))
    p.recvuntil("Nice choice!")
    p.send(payload)

def show(index):
    p.recvuntil(">")
    p.sendline(b'4')
    p.recvuntil("Let's see what you can do")
    p.sendline(str(index))

≡