-
Freeing fastchunks bordering top will trigger
malloc_consolidate
. I originally missed that, even though this bit me multiple times in the past.- Is this intentional? Wouldn't
malloc_trim
be responsible for such things?
- Is this intentional? Wouldn't
-
Because of this, my assumption was that the location of the fast chunk is final once allocated and worked from here. A somewhat interesting attempt was:
- Leak libc (this anchors the fastchunk at the beginning of the heap)
-
Attempt to create a pointer in libc we can use for unsafe unlinking.
last_remainder
seemed like a good candidate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From c17165069c8430069527fcf2e9abf4377807cdc3 Mon Sep 17 00:00:00 2001 | |
From: Istvan Kurucsai <pistukem@gmail.com> | |
Date: Sat, 5 Nov 2016 13:11:04 +0100 | |
Subject: [PATCH 1/9] malloc: Additional checks for unsorted bin integrity I. | |
Ensure the following properties of chunks encountered during binning: | |
- victim chunk has reasonable size | |
- next chunk has reasonable size | |
- next->prev_size == victim->size | |
- valid double linked list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
os.environ['TERM'] = 'xterm-256color' | |
from pwn import * | |
context.update(arch='amd64') | |
cwd = '/media/SSD2/dev/hx/ctf/hitcon16/sleepy' | |
bin = os.path.join(cwd, 'SleepyHolder') | |
b = ELF(bin) | |
libc = ELF(os.path.join('/lib/x86_64-linux-gnu/libc.so.6')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
int main() | |
{ | |
printf("This program tricks malloc into returning a pointer to a \n" \ | |
"controlled location (in this case, the stack) by \n" \ | |
"poisoning a fastbin freelist.\n"); | |
size_t stack_var; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
sys.setrecursionlimit(10000) | |
files = ['A-small-practice.in', 'A-large-practice.in'] | |
def last_word(S, lastw): | |
if S == '': | |
return lastw | |
else: | |
return last_word(S[1:], S[0] + lastw if S[0] >= lastw[0] else lastw + S[0]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ==UserScript== | |
// @name playok anti-anti-adblock | |
// @namespace http://tukan.farm | |
// @version 0.001 alpha | |
// @description removes that 30 seconds nag | |
// @author _2can | |
// @match http://*.playok.com/*/* | |
// @grant none | |
// ==/UserScript== | |
/* jshint -W097 */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
read | |
write | |
open | |
close | |
stat | |
fstat | |
lstat | |
poll | |
lseek | |
pread64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#http://bugs.python.org/issue0 | |
import asyncio | |
import sys | |
from asyncio.subprocess import PIPE | |
CHILD_CMD = """import sys; sys.stdout.flush(); sys.stdout.buffer.write(b'x' * (4924416188260781778**4294967295+1)); sys.stdout.flush()""" | |
@asyncio.coroutine | |
def fail(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d:\temp | |
λ rm -rf python3-parser\ | |
d:\temp | |
λ git clone https://github.com/bkiers/python3-parser.git | |
Cloning into 'python3-parser'... | |
remote: Counting objects: 2113, done. | |
remote: Compressing objects: 100% (1794/1794), done. | |
remote: Total 2113 (delta 213), reused 2113 (delta 213), pack-reused 0 | |
Receiving objects: 100% (2113/2113), 7.86 MiB | 1.79 MiB/s, done. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[INFO] Scanning for projects... | |
[INFO] | |
[INFO] ------------------------------------------------------------------------ | |
[INFO] Building python3-parser 0.1.0 | |
[INFO] ------------------------------------------------------------------------ | |
[INFO] | |
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ python3-parser --- | |
[INFO] Deleting d:\temp\antlr\python3-parser\target | |
[INFO] | |
[INFO] --- antlr4-maven-plugin:4.3:antlr4 (default) @ python3-parser --- |