diff options
Diffstat (limited to 'HeapLAB/house_of_orange')
-rwxr-xr-x | HeapLAB/house_of_orange/house_of_orange | bin | 0 -> 15824 bytes | |||
-rwxr-xr-x | HeapLAB/house_of_orange/pwntools_template.py | 61 |
2 files changed, 61 insertions, 0 deletions
diff --git a/HeapLAB/house_of_orange/house_of_orange b/HeapLAB/house_of_orange/house_of_orange Binary files differnew file mode 100755 index 0000000..467a19e --- /dev/null +++ b/HeapLAB/house_of_orange/house_of_orange diff --git a/HeapLAB/house_of_orange/pwntools_template.py b/HeapLAB/house_of_orange/pwntools_template.py new file mode 100755 index 0000000..60dc183 --- /dev/null +++ b/HeapLAB/house_of_orange/pwntools_template.py @@ -0,0 +1,61 @@ +#!/usr/bin/python3 +from pwn import * + +elf = context.binary = ELF("house_of_orange") +libc = elf.libc + +gs = ''' +set breakpoint pending on +break _IO_flush_all_lockp +enable breakpoints once 1 +continue +''' +def start(): + if args.GDB: + return gdb.debug(elf.path, gdbscript=gs) + else: + return process(elf.path) + +# Select the "malloc (small)" option. +def small_malloc(): + io.send("1") + io.recvuntil("> ") + +# Select the "malloc (large)" option. +def large_malloc(): + io.sendthen("> ", "2") + +# Select the "edit (1st small chunk)" option; send data. +def edit(data): + io.send("3") + io.sendafter("data: ", data) + io.recvuntil("> ") + +io = start() + +# This binary leaks the address of puts(), use it to resolve the libc load address. +io.recvuntil("puts() @ ") +libc.address = int(io.recvline(), 16) - libc.sym.puts + +# This binary leaks the heap start address. +io.recvuntil("heap @ ") +heap = int(io.recvline(), 16) +io.recvuntil("> ") +io.timeout = 0.1 + +# ============================================================================= + +# =-=-=- EXAMPLE -=-=-= + +# Request a small chunk. +small_malloc() + +# Edit the 1st small chunk. +edit(b"Y"*24) + +# Request a large chunk. +large_malloc() + +# ============================================================================= + +io.interactive() |