def main(): shadow.parse_nursery() # print('[*] nursery at: 0x%08x' % (shadow.nursery_heap.start_addr)) fd = open('spray-reliability-nursery.txt', 'a') fd.write('0x%08x\n' % (shadow.nursery_heap.start_addr)) fd.close() lines = dbg.execute('s 0x0 l?0xffffffff 00 00 00 00 1e 00 00 00 1e 00 00 00 1e 00 00 00') lines = lines.split('\n') fd = open('spray-reliability.txt', 'a') for line in lines: end = line.find(' ') if end == -1: break addr = line[:end] addrinfo = shadow.find_address(dbg.to_int('0x%s' % (addr))) if addrinfo.parent_region: # print('0x%08x' % (addrinfo.addr)) fd.write('0x%08x\n' % (addrinfo.addr)) fd.close()
shadow.dump_all(path=path) elif sys.argv[1] == 'jechunks': shadow.dump_chunks() elif sys.argv[1] == 'jechunk': arg = sys.argv[2:] if len(arg) >= 1: addr = arg[0] else: print('[shadow] usage: jechunk <address>') print('[shadow] for example: jechunk 0x900000') sys.exit(1) if addr.startswith('0x'): addr = dbg.to_int(addr) else: addr = dbg.to_int('0x%s' % (addr)) shadow.dump_chunk(addr) elif sys.argv[1] == 'jearenas': shadow.dump_arenas() elif sys.argv[1] == 'jeruns': current_runs = False size = 0 try: alist, args = getopt.getopt(sys.argv[2:], 'cs:')
try: size_class = int(sys.argv[2]) except: print('[shadow] usage: jeregions <size class>') print('[shadow] for example: jeregions 1024') sys.exit() shadow.dump_regions(size_class) elif sys.argv[1] == 'pa': addr = 0 new_len = 0x666 try: if sys.argv[2].startswith('0x'): addr = dbg.to_int(sys.argv[2]) new_len = dbg.to_int(sys.argv[3]) else: addr = dbg.to_int('0x%s' % (sys.argv[2])) new_len = dbg.to_int(sys.argv[3]) except: if addr != 0: shadow.pwnarray(addr) sys.exit() else: print('[shadow] usage: pa <address> [<new length>]') print('[shadow] for example: pa 0x13f1fc00 0x1000') sys.exit() shadow.pwnarray(addr, new_length=new_len)