2 files changed, 61 insertions, 0 deletions

diff --git a/HeapLAB/house_of_orange/house_of_orange b/HeapLAB/house_of_orange/house_of_orange
new file mode 100755
index 0000000..467a19e
--- /dev/null
+++ b/HeapLAB/house_of_orange/house_of_orange
diff --git a/HeapLAB/house_of_orange/pwntools_template.py b/HeapLAB/house_of_orange/pwntools_template.py
new file mode 100755
index 0000000..60dc183
--- /dev/null
+++ b/HeapLAB/house_of_orange/pwntools_template.py
@@ -0,0 +1,61 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("house_of_orange")
+libc = elf.libc
+
+gs = '''
+set breakpoint pending on
+break _IO_flush_all_lockp
+enable breakpoints once 1
+continue
+'''
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gdbscript=gs)
+    else:
+        return process(elf.path)
+
+# Select the "malloc (small)" option.
+def small_malloc():
+    io.send("1")
+    io.recvuntil("> ")
+
+# Select the "malloc (large)" option.
+def large_malloc():
+    io.sendthen("> ", "2")
+
+# Select the "edit (1st small chunk)" option; send data.
+def edit(data):
+    io.send("3")
+    io.sendafter("data: ", data)
+    io.recvuntil("> ")
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+
+# This binary leaks the heap start address.
+io.recvuntil("heap @ ")
+heap = int(io.recvline(), 16)
+io.recvuntil("> ")
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# Request a small chunk.
+small_malloc()
+
+# Edit the 1st small chunk.
+edit(b"Y"*24)
+
+# Request a large chunk.
+large_malloc()
+
+# =============================================================================
+
+io.interactive()