这题没写出来,泄露完libc地址就陷入迷茫,赛后赶紧看大佬们的writeup学习了一下.
checksec
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : FULL
PIE开了,就不用想着写Got表了
Vulnerability
漏洞还是挺明显的,off by one,可以多写一个字节
Exploit
通过利用off by one,非常容易泄露堆地址与libc地址,这里就不细说,详情看writeup
泄露完以后呢?
因为我们最大分配88个字节的空间,不能直接把chunk分配在malloc_hook附近,所以我们要先通过修改mchunkptr top,也就是topchunk指针,使其下次分配在malloc_hook附近
malloc_state 即main_arena
struct malloc_state {
/* Serialize access. */
__libc_lock_define(, mutex);
/* Flags (formerly in max_fast). */
int flags;
/* Fastbins */
mfastbinptr fastbinsY[ NFASTBINS ];
/* Base of the topmost chunk -- not otherwise kept in a bin */
mchunkptr top;
/* The remainder from the most recent split of a small request */
mchunkptr last_remainder;
/* Normal bins packed as described above */
mchunkptr bins[ NBINS * 2 - 2 ];
/* Bitmap of bins, help to speed up the process of determinating if a given bin is definitely empty.*/
unsigned int binmap[ BINMAPSIZE ];
/* Linked list, points to the next arena */
struct malloc_state *next;
/* Linked list for free arenas. Access to this field is serialized
by free_list_lock in arena.c. */
struct malloc_state *next_free;
/* Number of threads attached to this arena. 0 if the arena is on
the free list. Access to this field is serialized by
free_list_lock in arena.c. */
INTERNAL_SIZE_T attached_threads;
/* Memory allocated from the system in this arena. */
INTERNAL_SIZE_T system_mem;
INTERNAL_SIZE_T max_system_mem;
};
fastbin attack修改topchunk指针,再用one_gadaget覆盖malloc_hook即可