From ba02c1bd6981675aaf5a0b6cddb7457e53d5eed1 Mon Sep 17 00:00:00 2001
From: Brett Weiland <techcrazybsw@gmail.com>
Date: Mon, 4 Jan 2021 16:32:01 -0600
Subject: 	new file:   HeapLAB+Bible.pdf 	new file:  
 HeapLAB/.glibc/glibc_2.23/ld-2.23.so 	new file:  
 HeapLAB/.glibc/glibc_2.23/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.23/libc-2.23.so 	new file:  
 HeapLAB/.glibc/glibc_2.23/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.23/libio/genops.c 	new file:  
 HeapLAB/.glibc/glibc_2.23/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld-2.23.so 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc-2.23.so 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libio/genops.c 	new file:  
 HeapLAB/.glibc/glibc_2.23_unsafe-unlink/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.24/ld-2.24.so 	new file:  
 HeapLAB/.glibc/glibc_2.24/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.24/libc-2.24.so 	new file:  
 HeapLAB/.glibc/glibc_2.24/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.24/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.25/ld-2.25.so 	new file:  
 HeapLAB/.glibc/glibc_2.25/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.25/libc-2.25.so 	new file:  
 HeapLAB/.glibc/glibc_2.25/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.25/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.26/ld-2.26.so 	new file:  
 HeapLAB/.glibc/glibc_2.26/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.26/libc-2.26.so 	new file:  
 HeapLAB/.glibc/glibc_2.26/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.26/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.26_no-tcache/ld-2.26.so 	new file:  
 HeapLAB/.glibc/glibc_2.26_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.26_no-tcache/libc-2.26.so 	new file:  
 HeapLAB/.glibc/glibc_2.26_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.26_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.27/ld-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.27/libc-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.27/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.27_no-tcache/ld-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.27_no-tcache/libc-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.27_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/ld-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/libc-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc-2.27.so 	new file:  
 HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.28/ld-2.28.so 	new file:  
 HeapLAB/.glibc/glibc_2.28/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.28/libc-2.28.so 	new file:  
 HeapLAB/.glibc/glibc_2.28/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.28/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.28_no-tcache/ld-2.28.so 	new file:  
 HeapLAB/.glibc/glibc_2.28_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.28_no-tcache/libc-2.28.so 	new file:  
 HeapLAB/.glibc/glibc_2.28_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.28_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.29/ld-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.29/libc-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.29/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.29_no-tcache/ld-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.29_no-tcache/libc-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.29_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/ld-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/libc-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc-2.29.so 	new file:  
 HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.30/ld-2.30.so 	new file:  
 HeapLAB/.glibc/glibc_2.30/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.30/libc-2.30.so 	new file:  
 HeapLAB/.glibc/glibc_2.30/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.30/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.30_no-tcache/ld-2.30.so 	new file:  
 HeapLAB/.glibc/glibc_2.30_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.30_no-tcache/libc-2.30.so 	new file:  
 HeapLAB/.glibc/glibc_2.30_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.30_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.31/ld-2.31.so 	new file:  
 HeapLAB/.glibc/glibc_2.31/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.31/libc-2.31.so 	new file:  
 HeapLAB/.glibc/glibc_2.31/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.31/malloc/malloc.c 	new file:  
 HeapLAB/.glibc/glibc_2.31_no-tcache/ld-2.31.so 	new file:  
 HeapLAB/.glibc/glibc_2.31_no-tcache/ld.so.2 	new file:  
 HeapLAB/.glibc/glibc_2.31_no-tcache/libc-2.31.so 	new file:  
 HeapLAB/.glibc/glibc_2.31_no-tcache/libc.so.6 	new file:  
 HeapLAB/.glibc/glibc_2.31_no-tcache/malloc/malloc.c 	new file:  
 HeapLAB/.src/demo_fastbins.c 	new file:   HeapLAB/.src/demo_top_chunk.c 
 new file:   HeapLAB/.src/demo_unsortedbin.c 	new file:   HeapLAB/HeapLab -
 GLIBC Heap Exploitation.pdf 	new file:  
 HeapLAB/challenge-fastbin_dup/.gdb_history 	new file:  
 HeapLAB/challenge-fastbin_dup/bruh.py 	new file:  
 HeapLAB/challenge-fastbin_dup/fastbin_dup_2 	new file:  
 HeapLAB/challenge-fastbin_dup/pwntools_template.py 	new file:  
 HeapLAB/challenge-one_byte/one_byte 	new file:  
 HeapLAB/challenge-one_byte/pwntools_template.py 	new file:  
 HeapLAB/fastbin_dup/demo 	new file:   HeapLAB/fastbin_dup/fastbin_dup 
 new file:   HeapLAB/fastbin_dup/pwntools_template.py 	new file:  
 HeapLAB/house_of_force/demo 	new file:  
 HeapLAB/house_of_force/house_of_force 	new file:  
 HeapLAB/house_of_force/pwntools_template.py 	new file:  
 HeapLAB/house_of_orange/house_of_orange 	new file:  
 HeapLAB/house_of_orange/pwntools_template.py 	new file:  
 HeapLAB/malloc_testbed/.links/ld.so.2 	new file:  
 HeapLAB/malloc_testbed/.links/libc.so.6 	new file:  
 HeapLAB/malloc_testbed/change_glibc_version.py 	new file:  
 HeapLAB/malloc_testbed/malloc_testbed 	new file:  
 HeapLAB/malloc_testbed/pwntools_template.py 	new file:  
 HeapLAB/safe_unlink/pwntools_template.py 	new file:  
 HeapLAB/safe_unlink/safe_unlink 	new file:   HeapLAB/unsafe_unlink/demo
 	new file:   HeapLAB/unsafe_unlink/pwntools_template.py 	new file:  
 HeapLAB/unsafe_unlink/unsafe_unlink 	new file:   original.gz

---
 HeapLAB/house_of_force/demo                 | Bin 0 -> 9264 bytes
 HeapLAB/house_of_force/house_of_force       | Bin 0 -> 16248 bytes
 HeapLAB/house_of_force/pwntools_template.py |  58 ++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+)
 create mode 100755 HeapLAB/house_of_force/demo
 create mode 100755 HeapLAB/house_of_force/house_of_force
 create mode 100755 HeapLAB/house_of_force/pwntools_template.py

(limited to 'HeapLAB/house_of_force')

diff --git a/HeapLAB/house_of_force/demo b/HeapLAB/house_of_force/demo
new file mode 100755
index 0000000..1384ebd
Binary files /dev/null and b/HeapLAB/house_of_force/demo differ
diff --git a/HeapLAB/house_of_force/house_of_force b/HeapLAB/house_of_force/house_of_force
new file mode 100755
index 0000000..5cdd95f
Binary files /dev/null and b/HeapLAB/house_of_force/house_of_force differ
diff --git a/HeapLAB/house_of_force/pwntools_template.py b/HeapLAB/house_of_force/pwntools_template.py
new file mode 100755
index 0000000..22d980b
--- /dev/null
+++ b/HeapLAB/house_of_force/pwntools_template.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python3
+from pwn import *
+
+elf = context.binary = ELF("house_of_force")
+libc = elf.libc
+
+gs = '''
+continue
+'''
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gdbscript=gs)
+    else:
+        return process(elf.path)
+
+# Select the "malloc" option, send size & data.
+def malloc(size, data):
+    io.send("1")
+    io.sendafter("size: ", f"{size}")
+    io.sendafter("data: ", data)
+    io.recvuntil("> ")
+
+# Calculate the "wraparound" distance between two addresses.
+def delta(x, y):
+    return (0xffffffffffffffff - x) + y
+
+io = start()
+
+# This binary leaks the address of puts(), use it to resolve the libc load address.
+io.recvuntil("puts() @ ")
+libc.address = int(io.recvline(), 16) - libc.sym.puts
+
+# This binary leaks the heap start address.
+io.recvuntil("heap @ ")
+heap = int(io.recvline(), 16)
+io.recvuntil("> ")
+io.timeout = 0.1
+
+# =============================================================================
+
+# =-=-=- EXAMPLE -=-=-=
+
+# The "heap" variable holds the heap start address.
+log.info(f"heap: 0x{heap:02x}")
+
+# Program symbols are available via "elf.sym.<symbol name>".
+log.info(f"target: 0x{elf.sym.target:02x}")
+
+# The malloc() function chooses option 1 from the menu.
+# Its arguments are "size" and "data".
+malloc(24, b"Y"*24)
+
+# The delta() function finds the "wraparound" distance between two addresses.
+log.info(f"delta between heap & main(): 0x{delta(heap, elf.sym.main):02x}")
+
+# =============================================================================
+
+io.interactive()
-- 
cgit v1.2.3