-
Freeing fastchunks bordering top will trigger
malloc_consolidate. I originally missed that, even though this bit me multiple times in the past.- Is this intentional? Wouldn't
malloc_trimbe responsible for such things?
- Is this intentional? Wouldn't
-
Because of this, my assumption was that the location of the fast chunk is final once allocated and worked from here. A somewhat interesting attempt was:
- Leak libc (this anchors the fastchunk at the beginning of the heap)
-
Attempt to create a pointer in libc we can use for unsafe unlinking.
last_remainderseemed like a good candidate
andigena
/ ghost in the heap.md
Last active
November 10, 2017 12:35
andigena
/ 0001-malloc-Additional-checks-for-unsorted-bin-integrity-.patch
Created
March 23, 2017 08:49
malloc hardening proposal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From c17165069c8430069527fcf2e9abf4377807cdc3 Mon Sep 17 00:00:00 2001 | |
| From: Istvan Kurucsai <pistukem@gmail.com> | |
| Date: Sat, 5 Nov 2016 13:11:04 +0100 | |
| Subject: [PATCH 1/9] malloc: Additional checks for unsorted bin integrity I. | |
| Ensure the following properties of chunks encountered during binning: | |
| - victim chunk has reasonable size | |
| - next chunk has reasonable size | |
| - next->prev_size == victim->size | |
| - valid double linked list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| os.environ['TERM'] = 'xterm-256color' | |
| from pwn import * | |
| context.update(arch='amd64') | |
| cwd = '/media/SSD2/dev/hx/ctf/hitcon16/sleepy' | |
| bin = os.path.join(cwd, 'SleepyHolder') | |
| b = ELF(bin) | |
| libc = ELF(os.path.join('/lib/x86_64-linux-gnu/libc.so.6')) |
andigena
/ fastbin_poisoning.c
Last active
July 8, 2016 12:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| int main() | |
| { | |
| printf("This program tricks malloc into returning a pointer to a \n" \ | |
| "controlled location (in this case, the stack) by \n" \ | |
| "poisoning a fastbin freelist.\n"); | |
| size_t stack_var; |
andigena
/ 16R1A-A-lastword.py
Created
July 4, 2016 19:34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| sys.setrecursionlimit(10000) | |
| files = ['A-small-practice.in', 'A-large-practice.in'] | |
| def last_word(S, lastw): | |
| if S == '': | |
| return lastw | |
| else: | |
| return last_word(S[1:], S[0] + lastw if S[0] >= lastw[0] else lastw + S[0]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ==UserScript== | |
| // @name playok anti-anti-adblock | |
| // @namespace http://tukan.farm | |
| // @version 0.001 alpha | |
| // @description removes that 30 seconds nag | |
| // @author _2can | |
| // @match http://*.playok.com/*/* | |
| // @grant none | |
| // ==/UserScript== | |
| /* jshint -W097 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| read | |
| write | |
| open | |
| close | |
| stat | |
| fstat | |
| lstat | |
| poll | |
| lseek | |
| pread64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #http://bugs.python.org/issue0 | |
| import asyncio | |
| import sys | |
| from asyncio.subprocess import PIPE | |
| CHILD_CMD = """import sys; sys.stdout.flush(); sys.stdout.buffer.write(b'x' * (4924416188260781778**4294967295+1)); sys.stdout.flush()""" | |
| @asyncio.coroutine | |
| def fail(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d:\temp | |
| λ rm -rf python3-parser\ | |
| d:\temp | |
| λ git clone https://github.com/bkiers/python3-parser.git | |
| Cloning into 'python3-parser'... | |
| remote: Counting objects: 2113, done. | |
| remote: Compressing objects: 100% (1794/1794), done. | |
| remote: Total 2113 (delta 213), reused 2113 (delta 213), pack-reused 0 | |
| Receiving objects: 100% (2113/2113), 7.86 MiB | 1.79 MiB/s, done. |
andigena
/ gist:02f1491356505e30eda5
Created
July 18, 2015 11:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [INFO] Scanning for projects... | |
| [INFO] | |
| [INFO] ------------------------------------------------------------------------ | |
| [INFO] Building python3-parser 0.1.0 | |
| [INFO] ------------------------------------------------------------------------ | |
| [INFO] | |
| [INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ python3-parser --- | |
| [INFO] Deleting d:\temp\antlr\python3-parser\target | |
| [INFO] | |
| [INFO] --- antlr4-maven-plugin:4.3:antlr4 (default) @ python3-parser --- |