3 files changed, 62 insertions, 0 deletions

diff --git a/HeapLAB/fastbin_dup/demo b/HeapLAB/fastbin_dup/demo
new file mode 100755
index 0000000..93847ad
--- /dev/null
+++ b/HeapLAB/fastbin_dup/demo
diff --git a/HeapLAB/fastbin_dup/fastbin_dup b/HeapLAB/fastbin_dup/fastbin_dup
new file mode 100755
index 0000000..7332ab1
--- /dev/null
+++ b/HeapLAB/fastbin_dup/fastbin_dup
diff --git a/HeapLAB/fastbin_dup/pwntools_template.py b/HeapLAB/fastbin_dup/pwntools_template.py
new file mode 100755
index 0000000..294ab15
--- /dev/null
+++ b/HeapLAB/fastbin_dup/pwntools_template.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("fastbin_dup")
+libc = elf.libc
+
+gs = '''
+continue
+'''
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gdbscript=gs)
+    else:
+        return process(elf.path)
+
+# Index of allocated chunks.
+index = 0
+
+# Select the "malloc" option; send size & data.
+# Returns chunk index.
+def malloc(size, data):
+    global index
+    io.send("1")
+    io.sendafter("size: ", f"{size}")
+    io.sendafter("data: ", data)
+    io.recvuntil("> ")
+    index += 1
+    return index - 1
+
+# Select the "free" option; send index.
+def free(index):
+    io.send("2")
+    io.sendafter("index: ", f"{index}")
+    io.recvuntil("> ")
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# Set the username field.
+username = "George"
+io.sendafter("username: ", username)
+io.recvuntil("> ")
+
+# Request two 0x30-sized chunks and fill them with data.
+chunk_A = malloc(0x28, "A"*0x28)
+chunk_B = malloc(0x28, "B"*0x28)
+
+# Free the first chunk, then the second.
+free(chunk_A)
+free(chunk_B)
+
+# =============================================================================
+
+io.interactive()