lab

拆弹

第一步的exp, 进 ida 一眼顶针发现是个字符串比对

from pwn import *
import sys
import argparse 

context.log_level = 'debug'

path_to_elf = '/home/lov3/PWN/OS/bomb_XBan/bomb'
elf = ELF(path_to_elf)
libc = elf.libc

ip = sys.argv[1]
# sys.argv[0] 为当前文件名
if len(sys.argv[1]) < 5:
	port = 0
else:
    port = int(sys.argv[2])


if port == 0:
	p = process(path_to_elf)
else:
	p = remote(ip, port)

sla = lambda x,y : p.sendlineafter(x,y)
sa  = lambda x,y : p.sendafter(x,y)
ru  = lambda x   : p.recvuntil(x)

def g(arg=''):
	if port != 0:
		return
	gdb.attach(p, arg)
	raw_input()

def choice(op):
	sla('choice: ', str(op))

def arena(op):
	choice(1)
	choice(str(op))

def buy(obj):
	choice(2)
	sla('want a', obj)

def use(obj):
	choice(3)
	choice(1)
	ru('use?\n')
	sa(']', obj)

def leak_heap(x, y, z):
	ret = (z ^ 0xBAAD)<<16
	ret = (ret + y ^ 0xBAAD)<<16
	ret += x ^ 0xBAAD
	return ret

p.recvuntil('day!\n')
# 传回 'Border relations with Canada have never been better.'
p.sendline(b'Border relations with Canada have never been better.')
p.recvuntil(b'next one?\n')

p.interactive()