# Babyheap * 用一個 global long long 存 chunk address 和 uint 存 chunk size * malloc 0x18 無限次 但不會存 chunk address 所以也不能 free * calloc 0x78 ~ 0x408 0xa0 次 * delete 0x8 次 * show 0x2 次 * edit 0x1 次 > can only do one time fast bin attack * 用神奇方法串起 fastbin 然後 consolidate basic tools ```python= from pwn import * # r = remote('eofqual.zoolab.org', 10103) r = process('./babyheap') def create(size, data): r.sendafter('choice : ', 'C') r.sendlineafter('Size : ', str(size)) r.sendlineafter('Data : ', data) def show(): r.sendafter('choice : ', 'S') return r.recvuntil('==')[:-3] def edit(data): r.sendafter('choice : ', 'E') r.sendlineafter('Data : ', data) def delete(): r.sendafter('choice : ', 'D') def ultra(data): r.sendafter('choice : ', 'U') r.sendlineafter('Data : ', data) def padz(size): return b'\x00' * size create(0x78, 'abcdef') print(show()) edit('ghij') delete() print(show()) r.interactive() ``` ###### tags: `unsolved`