new file: HeapLAB+Bible.pdf

	new file:   HeapLAB/.glibc/glibc_2.23/ld-2.23.so
	new file:   HeapLAB/.glibc/glibc_2.23/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.23/libc-2.23.so
	new file:   HeapLAB/.glibc/glibc_2.23/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.23/libio/genops.c
	new file:   HeapLAB/.glibc/glibc_2.23/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld-2.23.so
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc-2.23.so
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libio/genops.c
	new file:   HeapLAB/.glibc/glibc_2.23_unsafe-unlink/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.24/ld-2.24.so
	new file:   HeapLAB/.glibc/glibc_2.24/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.24/libc-2.24.so
	new file:   HeapLAB/.glibc/glibc_2.24/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.24/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.25/ld-2.25.so
	new file:   HeapLAB/.glibc/glibc_2.25/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.25/libc-2.25.so
	new file:   HeapLAB/.glibc/glibc_2.25/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.25/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.26/ld-2.26.so
	new file:   HeapLAB/.glibc/glibc_2.26/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.26/libc-2.26.so
	new file:   HeapLAB/.glibc/glibc_2.26/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.26/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.26_no-tcache/ld-2.26.so
	new file:   HeapLAB/.glibc/glibc_2.26_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.26_no-tcache/libc-2.26.so
	new file:   HeapLAB/.glibc/glibc_2.26_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.26_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.27/ld-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.27/libc-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.27/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.27_no-tcache/ld-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.27_no-tcache/libc-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.27_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/ld-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/libc-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc-2.27.so
	new file:   HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.28/ld-2.28.so
	new file:   HeapLAB/.glibc/glibc_2.28/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.28/libc-2.28.so
	new file:   HeapLAB/.glibc/glibc_2.28/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.28/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.28_no-tcache/ld-2.28.so
	new file:   HeapLAB/.glibc/glibc_2.28_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.28_no-tcache/libc-2.28.so
	new file:   HeapLAB/.glibc/glibc_2.28_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.28_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.29/ld-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.29/libc-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.29/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.29_no-tcache/ld-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.29_no-tcache/libc-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.29_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/ld-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/libc-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc-2.29.so
	new file:   HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.30/ld-2.30.so
	new file:   HeapLAB/.glibc/glibc_2.30/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.30/libc-2.30.so
	new file:   HeapLAB/.glibc/glibc_2.30/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.30/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.30_no-tcache/ld-2.30.so
	new file:   HeapLAB/.glibc/glibc_2.30_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.30_no-tcache/libc-2.30.so
	new file:   HeapLAB/.glibc/glibc_2.30_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.30_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.31/ld-2.31.so
	new file:   HeapLAB/.glibc/glibc_2.31/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.31/libc-2.31.so
	new file:   HeapLAB/.glibc/glibc_2.31/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.31/malloc/malloc.c
	new file:   HeapLAB/.glibc/glibc_2.31_no-tcache/ld-2.31.so
	new file:   HeapLAB/.glibc/glibc_2.31_no-tcache/ld.so.2
	new file:   HeapLAB/.glibc/glibc_2.31_no-tcache/libc-2.31.so
	new file:   HeapLAB/.glibc/glibc_2.31_no-tcache/libc.so.6
	new file:   HeapLAB/.glibc/glibc_2.31_no-tcache/malloc/malloc.c
	new file:   HeapLAB/.src/demo_fastbins.c
	new file:   HeapLAB/.src/demo_top_chunk.c
	new file:   HeapLAB/.src/demo_unsortedbin.c
	new file:   HeapLAB/HeapLab - GLIBC Heap Exploitation.pdf
	new file:   HeapLAB/challenge-fastbin_dup/.gdb_history
	new file:   HeapLAB/challenge-fastbin_dup/bruh.py
	new file:   HeapLAB/challenge-fastbin_dup/fastbin_dup_2
	new file:   HeapLAB/challenge-fastbin_dup/pwntools_template.py
	new file:   HeapLAB/challenge-one_byte/one_byte
	new file:   HeapLAB/challenge-one_byte/pwntools_template.py
	new file:   HeapLAB/fastbin_dup/demo
	new file:   HeapLAB/fastbin_dup/fastbin_dup
	new file:   HeapLAB/fastbin_dup/pwntools_template.py
	new file:   HeapLAB/house_of_force/demo
	new file:   HeapLAB/house_of_force/house_of_force
	new file:   HeapLAB/house_of_force/pwntools_template.py
	new file:   HeapLAB/house_of_orange/house_of_orange
	new file:   HeapLAB/house_of_orange/pwntools_template.py
	new file:   HeapLAB/malloc_testbed/.links/ld.so.2
	new file:   HeapLAB/malloc_testbed/.links/libc.so.6
	new file:   HeapLAB/malloc_testbed/change_glibc_version.py
	new file:   HeapLAB/malloc_testbed/malloc_testbed
	new file:   HeapLAB/malloc_testbed/pwntools_template.py
	new file:   HeapLAB/safe_unlink/pwntools_template.py
	new file:   HeapLAB/safe_unlink/safe_unlink
	new file:   HeapLAB/unsafe_unlink/demo
	new file:   HeapLAB/unsafe_unlink/pwntools_template.py
	new file:   HeapLAB/unsafe_unlink/unsafe_unlink
	new file:   original.gz

5 files changed, 129 insertions, 0 deletions

diff --git a/HeapLAB/malloc_testbed/.links/ld.so.2 b/HeapLAB/malloc_testbed/.links/ld.so.2
new file mode 120000
index 0000000..d9768f8
--- /dev/null
+++ b/HeapLAB/malloc_testbed/.links/ld.so.2
@@ -0,0 +1 @@
+../../.glibc/glibc_2.27/ld.so.2
\ No newline at end of file
diff --git a/HeapLAB/malloc_testbed/.links/libc.so.6 b/HeapLAB/malloc_testbed/.links/libc.so.6
new file mode 120000
index 0000000..2635a93
--- /dev/null
+++ b/HeapLAB/malloc_testbed/.links/libc.so.6
@@ -0,0 +1 @@
+../../.glibc/glibc_2.27/libc.so.6
\ No newline at end of file
diff --git a/HeapLAB/malloc_testbed/change_glibc_version.py b/HeapLAB/malloc_testbed/change_glibc_version.py
new file mode 100755
index 0000000..2ce1abc
--- /dev/null
+++ b/HeapLAB/malloc_testbed/change_glibc_version.py
@@ -0,0 +1,30 @@
+#!/usr/bin/python3
+import os
+
+# Grab available GLIBC versions.
+available_versions = []
+for item in os.scandir("../.glibc"):
+    if item.is_dir():
+        available_versions.append(item)
+available_versions.sort(key=lambda x:x.name)
+
+# Print menu.
+print("\n--------------------")
+print("Select GLIBC version")
+print("--------------------")
+for c, version in enumerate(available_versions):
+    print(f"{c:02}) " + version.name)
+
+# Process input.
+choice = int(input("> "))
+if choice < len(available_versions):
+    # Remove old symlinks.
+    try:
+        os.unlink(".links/libc.so.6")
+        os.unlink(".links/ld.so.2")
+    except FileNotFoundError:
+        print("No old links to remove")
+
+    # Replace symlinks.
+    os.symlink("../" + available_versions[choice].path + "/libc.so.6", ".links/libc.so.6")
+    os.symlink("../" + available_versions[choice].path + "/ld.so.2", ".links/ld.so.2")
diff --git a/HeapLAB/malloc_testbed/malloc_testbed b/HeapLAB/malloc_testbed/malloc_testbed
new file mode 100755
index 0000000..3dad712
--- /dev/null
+++ b/HeapLAB/malloc_testbed/malloc_testbed
diff --git a/HeapLAB/malloc_testbed/pwntools_template.py b/HeapLAB/malloc_testbed/pwntools_template.py
new file mode 100755
index 0000000..2d6f220
--- /dev/null
+++ b/HeapLAB/malloc_testbed/pwntools_template.py
@@ -0,0 +1,97 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("malloc_testbed")
+libc = elf.libc
+
+gs = '''
+continue
+'''
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gdbscript=gs)
+    else:
+        return process(elf.path)
+
+# Index of allocated chunks.
+index = 0
+
+# Select the "malloc" option; send size.
+# Return chunk index.
+def malloc(size):
+    global index
+    io.send("1")
+    io.sendafter("size: ", f"{size}")
+    io.recvuntil("> ")
+    index += 1
+    return index - 1
+
+# Select the "free" option; send index.
+def free(index):
+    io.send("2")
+    io.sendafter("index: ", f"{index}")
+    io.recvuntil("> ")
+
+# Select the "free address" option; send address.
+def free_address(address):
+    io.send("3")
+    io.sendafter("address: ", f"{address}")
+    io.recvuntil("> ")
+
+# Select the "edit" option; send index & data.
+def edit(index, data):
+    io.send("4")
+    io.sendafter("index: ", f"{index}")
+    io.sendafter("data: ", data)
+    io.recvuntil("> ")
+
+# Select the "read" option; send index.
+# Return data from read operation.
+def read(index):
+    io.send("5")
+    io.sendafter("index: ", f"{index}")
+    r = io.recvuntil("\n1) malloc", drop=True)
+    io.recvuntil("> ")
+    return r
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+
+# This binary leaks the heap start address.
+io.recvuntil("heap @ ")
+heap = int(io.recvline(), 16)
+
+# This binary leaks the address of its m_array.
+io.recvuntil("m_array @ ")
+m_array = int(io.recvline(), 16)
+io.recvuntil("> ")
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# Log some useful addresses.
+log.info(f"libc is at 0x{libc.address:02x}")
+log.info(f"heap is at 0x{heap:02x}")
+log.info(f"m_array is at 0x{m_array:02x}")
+
+# Request 2 chunks.
+chunk_A = malloc(0x88)
+chunk_B = malloc(0x18)
+
+# Free "chunk_A".
+free(chunk_A)
+
+# Edit "chunk_B".
+edit(chunk_B, "Y"*8)
+
+# Read data from the "chunk_B".
+log.info(f"reading chunk_B: {read(chunk_B)[:8]}")
+
+# =============================================================================
+
+io.interactive()